Eventlog Cleared

Severity: medium
Author: Florian Roth (Nextron Systems)
Source: upstream

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1070.001` Indicator Removal: Clear Windows Event Logs

Event coverage

Provider	Event ID	Title
Eventlog	104	The LogFileCleared.Channel log file was cleared.

Stages and Predicates

Stage 1: `selection`

Provider_Name: Microsoft-Windows-Eventlog

Stage 2: `not 1 of filter_main_covered`

Channel: ['Microsoft-Windows-PowerShell/Operational', 'Microsoft-Windows-Sysmon/Operational', 'PowerShellCore/Operational', Security, System, 'Windows PowerShell']

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Channel`	eq	`Microsoft-Windows-PowerShell/Operational` corpus 2 (sigma 2) `Microsoft-Windows-Sysmon/Operational` corpus 2 (sigma 2) `PowerShellCore/Operational` corpus 2 (sigma 2) `Security` corpus 2 (sigma 2) `System` corpus 2 (sigma 2) `Windows PowerShell` corpus 2 (sigma 2)
`Provider_Name`	eq	`Microsoft-Windows-Eventlog` corpus 3 (sigma 3)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Important Windows Eventlog Cleared [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)