Clearing Windows Event Logs with wevtutil¶
Identifies attempts to clear Windows event logs with the command wevtutil
.
id: | 5b223758-07d6-4100-9e11-238cfdd0fe97 |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Defense Evasion |
---|---|
techniques: | T1070 Indicator Removal on Host |
Query¶
process where subtype.create and
process_name == "wevtutil.exe" and command_line == "* cl *"