Windows - Deletion Event Log Detection Test

Deletion of Windows Event Log SIEM Detection Test

The deletion of a Windows Event Viewer Security log is a common pattern of post-attack evasion by malicious software and attackers. By monitoring for this deletion, you can have immediate awareness of what should be an unusual activity -- with the benefit of having those same deleted event logs stored in Blumira for analysis.

How to Test Deletion of Windows Security Log

Prerequisites:

Windows Host must be set up with NxLog configuration and properly logging to Blumira
GPO Advanced Logging (Logmira) - must be installed and logging properly to Blumira

Testing Steps:

There are various ways to delete the Security Event Viewer Logs, however the easiest is to use a PowerShell command
Open PowerShell with "Run as Administrator"
Run the command Clear-EventLog "Security"
This detection test will trigger a finding in your Blumira console and the appropriate notifications per your Blumira settings

Additional Security Resources

View All Posts

Product Updates

6 min read | July 22, 2024

Detect and Respond to Azure Threats With Blumira: Easy Cloud SIEM Setup

Security Trends and Info

5 min read | April 26, 2024

Detecting and Preventing Ransomware Attacks in Microsoft Environments

Security Alerts

8 min read | April 19, 2024

Why are Threat Actors enabling Windows Restricted Admin mode?

Get Started for Free

Experience the Blumira Free SIEM, with automated detection and response plus compliance reports for 3 cloud connectors, forever.