SigmaHQ/rules/windows/builtin/win_eventlog_cleared.yml

title: Eventlog Cleared Experimental
status: experimental
description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
author: Florian Roth
date: 2017/06/27
references:
    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
tags:
    - attack.defense_evasion
    - attack.t1070
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 104
        Source: Eventlog
    condition: selection
falsepositives:
    - unknown
level: high
Update win_eventlog_cleared.yml Experimental Rule is a duplicate of https://github.com/Neo23x0/sigma/blob/bfc7012043317632265a897c8a4901f266cda992/rules/windows/builtin/win_susp_eventlog_cleared.yml. I renamed it experimental just in case. I believe one of them should be removed. I caught it while transforming every rule to elastalert format 2018-12-05 02:40:00 +00:00			`title: Eventlog Cleared Experimental`
Eventlog cleared ID 104 2017-06-27 15:28:19 +00:00			`status: experimental`
			`description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution`
			`author: Florian Roth`
			`date: 2017/06/27`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1070`
Eventlog cleared ID 104 2017-06-27 15:28:19 +00:00			`logsource:`
			`product: windows`
			`service: system`
			`detection:`
			`selection:`
			`EventID: 104`
			`Source: Eventlog`
			`condition: selection`
			`falsepositives:`
			`- unknown`
			`level: high`