forked from SigmaHQ/sigma
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathposh_ps_susp_clear_eventlog.yml
41 lines (41 loc) · 2.01 KB
/
posh_ps_susp_clear_eventlog.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
title: Suspicious Eventlog Clear
id: 0f017df3-8f5a-414f-ad6b-24aff1128278
related:
- id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
type: derived
status: test
description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
references:
- https://twitter.com/oroneequalsone/status/1568432028361830402
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-09-12
modified: 2025-03-12
tags:
- attack.defense-evasion
- attack.t1070.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
- ScriptBlockText|contains:
- 'Clear-EventLog '
- 'Remove-EventLog '
- 'Limit-EventLog '
- 'Clear-WinEvent '
- ScriptBlockText|contains|all:
- 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
- 'ClearLog'
- ScriptBlockText|contains:
- 'Diagnostics.EventLog'
- 'Clear'
condition: selection
falsepositives:
- Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate
level: medium