Detects usage of the WMI class “Win32_NTEventlogFile” in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
title: Potentially Suspicious Call To Win32_NTEventlogFile Class
id: caf201a9-c2ce-4a26-9c3a-2b9525413711
related:
- id: e2812b49-bae0-4b21-b366-7c142eafcde2
type: similar
status: test
description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-13
tags:
- attack.defense-impairment
logsource:
category: process_creation
product: windows
detection:
selection_class:
CommandLine|contains: 'Win32_NTEventlogFile'
selection_function:
CommandLine|contains:
- '.BackupEventlog('
- '.ChangeSecurityPermissions('
- '.ChangeSecurityPermissionsEx('
- '.ClearEventLog('
- '.Delete('
- '.DeleteEx('
- '.Rename('
- '.TakeOwnerShip('
- '.TakeOwnerShipEx('
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where TargetProcessCommandLine contains "Win32_NTEventlogFile" and (TargetProcessCommandLine contains ".BackupEventlog(" or TargetProcessCommandLine contains ".ChangeSecurityPermissions(" or TargetProcessCommandLine contains ".ChangeSecurityPermissionsEx(" or TargetProcessCommandLine contains ".ClearEventLog(" or TargetProcessCommandLine contains ".Delete(" or TargetProcessCommandLine contains ".DeleteEx(" or TargetProcessCommandLine contains ".Rename(" or TargetProcessCommandLine contains ".TakeOwnerShip(" or TargetProcessCommandLine contains ".TakeOwnerShipEx(")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |