Monitors sequences involving deletion/modification of logs, registry keys, scheduled tasks, or prefetch files following suspicious process activity or elevated access escalation.
| Data Component | Name | Channel |
|---|---|---|
| File Deletion (DC0040) | WinEventLog:Sysmon | EventCode=23 |
| Application Log Content (DC0038) | WinEventLog:Security | EventCode=1102 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| TimeWindow | Correlate indicator removal within X mins after persistence/setup activities |
| TargetFilePathPattern | Customize detection to log file paths or common registry hives |
Detects deletion or overwriting of bash history, syslog, audit logs, and .ssh metadata following privilege elevation or suspicious process spawning.
| Data Component | Name | Channel |
|---|---|---|
| File Deletion (DC0040) | auditd:SYSCALL | unlink, rename, open |
| Application Log Content (DC0038) | linux:cli | cleared or truncated .bash_history |
| Field | Description |
|---|---|
| MonitoredPaths | Adjust based on syslog/auditd file paths (/var/log/messages, /var/log/audit/audit.log) |
| UserContext | Scope to root/sudo usage or anomalous user behavior |
Detects clearing of unified logs, deletion of plist files tied to persistence, and manipulation of Terminal history after initial execution.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | log stream cleared or truncated |
| File Deletion (DC0040) | fs:fsusage | unlink, fs_delete |
| File Modification (DC0061) | macos:osquery | File modifications in ~/Library/Preferences/ |
| Field | Description |
|---|---|
| PlistTargetPaths | Define which plist paths relate to LaunchAgents or LaunchDaemons |
| ExecutionChainDepth | Allow tuning for multi-process persistence chains |
Monitors tampering with audit logs, volumes, or mounted storage often used for side-channel logging (e.g., /var/log inside containers) post-compromise.
| Data Component | Name | Channel |
|---|---|---|
| File Deletion (DC0040) | docker:daemon | container file operations |
| File Metadata (DC0059) | ebpf:syscalls | Unexpected container volume unmount + file deletion |
| Field | Description |
|---|---|
| LogMountPaths | Tune based on how logs are exported (bind-mount, overlay) |
| ContainerLabelScope | Limit detection to suspicious containers or runtime classes |
Tracks suspicious use of ESXi shell commands or PowerCLI to delete logs, rotate system files, or tamper with hostd/vpxa history.
| Data Component | Name | Channel |
|---|---|---|
| File Deletion (DC0040) | esxi:hostd | rm, clearlogs, logrotate |
| Field | Description |
|---|---|
| LogSourceType | Tune per vCenter, vSphere, ESXi CLI telemetry collection |
| LogPathPattern | Target specific high-value log paths (e.g., /var/log/hostd.log) |
Detects deletion or hiding of security-related mail rules, audit mailboxes, or calendar/log sync artifacts indicative of tampering post-intrusion.
| Data Component | Name | Channel |
|---|---|---|
| Scheduled Job Modification (DC0012) | m365:exchange | Remove-InboxRule, Clear-Mailbox |
| Application Log Content (DC0038) | m365:unified | PurgeAuditLogs, Remove-MailboxAuditLog |
| Field | Description |
|---|---|
| TargetMailboxScope | Limit by VIP mailboxes or external-facing users |
| AuditLogDepth | Tune for log deletion following lateral movement |