title: Important Windows Eventlog Cleared
id: 100ef69e-3327-481c-8e5c-6d80d9507556
related:
- id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
type: derived
status: test
description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-17
modified: 2023-11-15
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: system
detection:
selection:
EventID: 104
Provider_Name: 'Microsoft-Windows-Eventlog'
Channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'Microsoft-Windows-Sysmon/Operational'
- 'PowerShellCore/Operational'
- 'Security'
- 'System'
- 'Windows PowerShell'
condition: selection
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: high
title: Security Eventlog Cleared
id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
related:
- id: f2f01843-e7b8-4f95-a35a-d23584476423
type: obsolete
- id: a122ac13-daf8-4175-83a2-72c387be339d
type: obsolete
status: test
description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
author: Florian Roth (Nextron Systems)
date: 2017-01-10
modified: 2022-02-24
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: security
detection:
selection_517:
EventID: 517
Provider_Name: Security
selection_1102:
EventID: 1102
Provider_Name: Microsoft-Windows-Eventlog
condition: 1 of selection_*
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: high
title: Suspicious Eventlog Clearing or Configuration Change Activity
id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
status: stable
description: |
Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
This technique were seen used by threat actors and ransomware strains in order to evade defenses.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee
- https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
- https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc
- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-09-26
modified: 2025-03-12
tags:
- attack.defense-impairment
- attack.t1685.005
- attack.t1685.001
- car.2016-04-002
logsource:
category: process_creation
product: windows
detection:
selection_wevtutil_img:
- Image|endswith: '\wevtutil.exe'
- OriginalFileName: 'wevtutil.exe'
selection_wevtutil_cmd:
CommandLine|contains:
- 'clear-log ' # clears specified log
- ' cl ' # short version of 'clear-log'
- 'set-log ' # modifies config of specified log. could be uset to set it to a tiny size
- ' sl ' # short version of 'set-log'
- 'lfn:' # change log file location and name
selection_other_ps_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
selection_other_ps_cmd:
- CommandLine|contains:
- 'Clear-EventLog '
- 'Remove-EventLog '
- 'Limit-EventLog '
- 'Clear-WinEvent '
- CommandLine|contains|all:
- 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
- 'ClearLog'
- CommandLine|contains|all:
- 'Diagnostics.EventLog'
- 'Clear'
selection_other_wmi:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\wmic.exe'
CommandLine|contains: 'ClearEventLog'
filter_main_msiexec:
# Example seen during office update/installation:
# ParentImage: C:\Windows\SysWOW64\msiexec.exe
# CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
ParentImage:
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\msiexec.exe'
CommandLine|contains: ' sl '
condition: (all of selection_wevtutil_*) or (all of selection_other_ps_*) or (selection_other_wmi) and not 1 of filter_main_*
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
- Maintenance activity
level: high
title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
id: cd1f961e-0b96-436b-b7c6-38da4583ec00
status: test
description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
references:
- https://twitter.com/0gtweet/status/1359039665232306183?s=21
- https://ss64.com/nt/logman.html
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2023-02-21
tags:
- attack.defense-impairment
- attack.t1685
- attack.t1685.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\logman.exe'
- OriginalFileName: 'Logman.exe'
selection_action:
CommandLine|contains:
- 'stop '
- 'delete '
selection_service:
CommandLine|contains:
- 'Circular Kernel Context Logger'
- 'EventLog-' # Cover multiple traces starting with EventLog-*
- 'SYSMON TRACE'
- 'SysmonDnsEtwSession'
condition: all of selection*
falsepositives:
- Legitimate deactivation by administrative staff
- Installer tools that disable services, e.g. before log collection agent installation
level: high
title: Eventlog Cleared
id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
related:
- id: f2f01843-e7b8-4f95-a35a-d23584476423
type: obsolete
- id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
type: derived
- id: 100ef69e-3327-481c-8e5c-6d80d9507556
type: derived
status: test
description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-01-10
modified: 2023-11-15
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: system
detection:
selection:
EventID: 104
Provider_Name: 'Microsoft-Windows-Eventlog'
filter_main_covered:
# The channels below are already covered by the rule 100ef69e-3327-481c-8e5c-6d80d9507556
Channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'Microsoft-Windows-Sysmon/Operational'
- 'PowerShellCore/Operational'
- 'Security'
- 'System'
- 'Windows PowerShell'
condition: selection and not 1 of filter_main_*
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: medium
title: Suspicious Eventlog Clear
id: 0f017df3-8f5a-414f-ad6b-24aff1128278
related:
- id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
type: derived
status: test
description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
references:
- https://twitter.com/oroneequalsone/status/1568432028361830402
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-09-12
modified: 2025-10-06
tags:
- attack.defense-impairment
- attack.t1685.005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
- ScriptBlockText|contains:
- 'Clear-EventLog '
- 'Remove-EventLog '
- 'Limit-EventLog '
- 'Clear-WinEvent '
- ScriptBlockText|contains|all:
- 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
- 'ClearLog'
- ScriptBlockText|contains|all:
- 'Diagnostics.EventLog'
- 'Clear'
condition: selection
falsepositives:
- Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate
level: medium