Adversaries may delete EVTX files to eliminate forensic evidence and obscure their activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data tampering or evidence destruction attempts early.
Detection Rule
title: EventLog EVTX File Deleted
id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc
status: test
description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
- attack.defense-evasion
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
TargetFilename|endswith: '.evtx'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFileName startswith "C:\\Windows\\System32\\winevt\\Logs\\" and TargetFileName endswith ".evtx"Scenario: A system administrator deletes the event log files as part of a routine log cleanup or rotation process.
Filter/Exclusion: Check for the presence of a known log management tool (e.g., Splunk, ELK Stack, or Microsoft Log Analytics) and filter events where the deletion is initiated by a service account or scheduled task associated with log management.
Scenario: A scheduled job or script (e.g., PowerShell or batch script) is configured to delete event log files to free up disk space or meet compliance requirements.
Filter/Exclusion: Filter events where the deletion is initiated by a known script or scheduled task (e.g., schtasks.exe or powershell.exe with a known script path).
Scenario: A third-party application or service (e.g., Microsoft System Center, or a SIEM tool) temporarily deletes event log files during a data export or backup operation.
Filter/Exclusion: Check for the presence of the application’s service account or process name (e.g., SystemCenter.exe, splunkd.exe) and exclude events initiated by those processes.
Scenario: An IT support tool or remote management tool (e.g., Microsoft Endpoint Manager, or a remote desktop session) deletes event logs as part of a troubleshooting or diagnostic task.
Filter/Exclusion: Filter events where the deletion is initiated by a known remote management tool or by a user with a specific role (e.g., ITSupport or Helpdesk).
Scenario: A user manually deletes event log files to investigate a system issue or troubleshoot an application error.
Filter/Exclusion: Exclude events where the deletion is performed by a user with a specific role (e.g., ITUser, SupportUser) or where the action is logged with a known troubleshooting context.