title: Eventlog Cleared Experimental
status: experimental
description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
author: Florian Roth
date: 2017/06/27
references:
    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
tags:
    - attack.defense_evasion
    - attack.t1070
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 104
        Source: Eventlog
    condition: selection
falsepositives:
    - unknown
level: high