[metadata] creation_date = "2023/07/06" integration = ["windows"] maturity = "production" updated_date = "2025/03/20" [rule] author = ["Elastic"] building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. """ from = "now-119m" index = ["winlogbeat-*", "logs-windows.powershell*"] interval = "60m" language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Log Clear Capabilities" references = [ "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog", ] risk_score = 21 rule_id = "3d3aa8f9-12af-441f-9344-9f31053e316d" setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` Steps to implement the logging policy via registry: ``` reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "query" query = ''' event.category:process and host.os.type:windows and powershell.file.script_block_text : ( "Clear-EventLog" or "Remove-EventLog" or ("Eventing.Reader.EventLogSession" and ".ClearLog") or ("Diagnostics.EventLog" and ".Clear") ) and not powershell.file.script_block_text : ( "CmdletsToExport=@(\"Add-Content\"" ) and not file.directory : "C:\Program Files\WindowsAdminCenter\PowerShellModules\Microsoft.WindowsAdminCenter.Configuration" ''' [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Resources\\\\*\\\\M365Library.ps1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" [[rule.threat.technique.subtechnique]] id = "T1070.001" name = "Clear Windows Event Logs" reference = "https://attack.mitre.org/techniques/T1070/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"