Find sigma rule
Attack: Indicator Removal on Host: Clear Windows Event Logs
Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer’s alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
With administrator privileges, the event logs can be cleared with the following utility commands:
wevtutil cl system
wevtutil cl application
wevtutil cl security
These logs may also be cleared through other mechanisms, such as the event viewer GUI or PowerShell. For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security
to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)
Adversaries may also attempt to clear logs by directly deleting the stored log files within C:\Windows\System32\winevt\logs\
.
MITRE
Tactic
- defense-evasion
technique
- T1070.001
Test : Clear Event Logs via VBA
OS
- windows
Description:
This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system.
Elevation is required for this module to execute properly, otherwise WINWORD will throw an “Access Denied” error
Executor
powershell
Sigma Rule
-
image_load_office_vbadll_load.yml (id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9)
-
image_load_dll_dbghelp_dbgcore_susp_load.yml (id: 0e277796-5f23-4e49-a490-483131d4f6e1)
-
win_security_audit_log_cleared.yml (id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982)
-
win_system_eventlog_cleared.yml (id: a62b37e0-45d3-48d9-a517-90c1a1b0186b)