security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Clearing or Disabling Windows Event Logs (#393)

Browse Source 
* [Rule Tuning] Clearing or Disabling Windows Event Logs

* added tags

* Update defense_evasion_clearing_windows_event_logs.toml

* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* updated the rule update date

* linted

* fixing unit test error

* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
This commit is contained in:
Samirbous
2020-12-02 20:35:35 +01:00
committed by GitHub
parent db2d17ccb2
commit e6645a8be9
1 changed files with 6 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_clearing_windows_event_logs.toml
+6 -7
View File
@@ -1,13 +1,13 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2020/11/03"
updated_date = "2020/11/30"
[rule]
author = ["Elastic"]
description = """
Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection
or destroy forensic evidence on a system.
Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by
attackers in an attempt to evade detection or destroy forensic evidence on a system.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
@@ -21,9 +21,9 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
process.name:wevtutil.exe and process.args:cl or
process.name:powershell.exe and process.args:Clear-EventLog
event.category:process and event.type:(process_started or start) and
(process.name:"wevtutil.exe" or process.pe.original_file_name:"wevtutil.exe") and
process.args:("/e:false" or cl or "clear-log") or process.name:"powershell.exe" and process.args:"Clear-EventLog"
'''
@@ -39,4 +39,3 @@ reference = "https://attack.mitre.org/techniques/T1070/"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"