security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Clearing Windows Event Logs (#2233)

Browse Source 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
TotalKnob
2022-08-24 02:41:30 +02:00
committed by GitHub
parent dfef597794
commit 023fbc7bbd
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_clearing_windows_event_logs.toml
+9 -4
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2022/05/23"
updated_date = "2022/08/08"
[rule]
author = ["Elastic"]
@@ -69,9 +69,14 @@ type = "eql"
query = '''
process where event.type in ("process_started", "start") and
(process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and
process.args : ("/e:false", "cl", "clear-log") or
process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Clear-EventLog"
(
(process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and
process.args : ("/e:false", "cl", "clear-log")
) or
(
process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and
process.args : "Clear-EventLog"
)
'''