Skip to content

Hide Navigation Hide TOC

Suspicious Eventlog Clearing or Configuration Change Activity (cc36992a-4671-4f21-a91d-6c2b72a2edf5)

Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Eventlog Clearing or Configuration Change Activity (cc36992a-4671-4f21-a91d-6c2b72a2edf5) Sigma-Rules Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 1
Suspicious Eventlog Clearing or Configuration Change Activity (cc36992a-4671-4f21-a91d-6c2b72a2edf5) Sigma-Rules Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 1
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 2