Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Windows event logs were cleared or deleted with PowerShell.
Attacker's Goals
Attackers may clear events from Windows event logs to remove traces of their malicious activity.
Investigative actions
- Validate if the script that was executed is from a legitimate IT activity.
- Look for additional suspicious actions that were executed on the host.
Variations
Suspicious clear or delete security provider event logs with PowerShellSuspicious clear or delete default providers event logs with PowerShell