Detection rules › Sigma
Event log cleared (native)
Detects scenarios where an attacker cleared the event logs.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1070.001 Indicator Removal: Clear Windows Event Logs |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Eventlog | Event ID 104 | The LogFileCleared.Channel log file was cleared. |
| Eventlog | Event ID 1102 | The audit log was cleared. |
Rule body yaml
title: Event log cleared (native)
description: Detects scenarios where an attacker cleared the event logs.
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0005-Defense%20Evasion/T1070.001-Clear%20Windows%20event%20logs
tags:
- attack.defense_evasion
- attack.t1070.001 # Indicator Removal: Clear Windows Event Logs
author: mdecrevoisier
status: experimental
logsource:
product: windows
service: security, system
detection:
selection:
EventID:
- 1102 # Security event log cleared (reported in Security channel). Attention, this Event ID is also produced by ADFS in the same Channel
- 104 # Other event log cleared (reported in System channel).
condition: selection
falsepositives:
- Exchange Servers
level: high
Stages and Predicates
Stage 0: condition
selectionStage 1: selection
selection:
EventID:
- 1102 # Security event log cleared (reported in Security channel). Attention, this Event ID is also produced by ADFS in the same Channel
- 104 # Other event log cleared (reported in System channel).