Detects behavioral sequence where an adversary gains elevated privileges and clears event logs using native binaries (e.g., wevtutil), PowerShell, or direct file deletion of .evtx files.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | WinEventLog:Security | EventCode=1102 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Deletion (DC0040) | WinEventLog:Sysmon | EventCode=23 |
| Field | Description |
|---|---|
| TimeWindow | Time range between log-clearing command and 1102 event; tunable to reduce false positives |
| UserContext | Filter by admin/elevated users; allow tuning to detect abuse of high-privilege accounts |
| CommandLinePattern | Match common variations of log-clearing commands like `Remove-EventLog`, `wevtutil cl` |
| TargetLogName | Scope detection to Security, System, Application, or custom logs based on environment |