T1070 delete system logs using power shell (#642)

* stop eventlog service and delete Security.evtx logs * add tests * fix format error * try 2 fix formatting
2019-11-11 23:37:19 -08:00
parent 0a1f37aa54
commit aa0aca3b2e
1 changed files with 27 additions and 1 deletions
@@ -70,4 +70,30 @@ atomic_tests:
  executor:
    name: bash
    command: |
-      echo 0> #{log_path}
+      echo 0> #{log_path}
+
+- name: Delete System Logs Using PowerShell
+  description: |
+    Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      $eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
+      Stop-Process -Id $eventLogId -Force
+      Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
+    cleanup_command: |
+      Start-Service -Name EventLog
+
+- name: Delete System Logs Using Clear-EventLogId
+  description: |
+    Clear event logs using built-in PowerShell commands
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      Clear-EventLog -logname Application