clear-system-logs | SOC Hunt Feed

Hunt Hypothesis

Adversaries may clear system logs to erase evidence of their presence and obfuscate their activities within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential ransomware or advanced persistent threat (APT) activity early.

KQL Query

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "fsutil.exe"
and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal"

Analytic Rule Definition

id: 5aa2b168-ab4f-44ab-8668-7845c7defcb1
name: clear-system-logs
description: |
  This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog.
  In April of 2020, security researchers observed multiple ransomware campaigns using the same set of techniques.
  The following query detects attempts to use fsutil.exe to clear system logs and delete forensic artifacts.
  The See also section below lists more queries related to techniques shared by these campaigns.
  Reference - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Defense evasion
query: |
  DeviceProcessEvents
  | where Timestamp > ago(7d)
  | where FileName =~ "fsutil.exe"
  and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal"

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Defense evasion

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Defense evasion/clear-system-logs.yaml)

False Positive Guidance

Scenario: System Maintenance Task (e.g., Windows Event Log Cleanup)
Description: A scheduled task runs to clean up old event logs as part of routine system maintenance.
Filter/Exclusion: Exclude events where the source is EventLog or Windows Event Log and the task is known to be part of a scheduled maintenance job (e.g., Cleanup-EventLog).
Scenario: Log Rotation by Log Management Tool (e.g., Splunk, Graylog, ELK Stack)
Description: Log rotation or archiving is performed by a log management tool, which may delete or archive old log entries.
Filter/Exclusion: Exclude events where the source is a log management tool (e.g., splunkd, graylog, logrotate) or where the action is related to log rotation (e.g., rotate, archive).
Scenario: Admin Task to Clear Logs for Troubleshooting (e.g., PowerShell or CLI)
Description: An administrator manually clears logs to troubleshoot an issue or reset the log state.
Filter/Exclusion: Exclude events where the user is a known admin (e.g., User: admin, User: root) and the command includes Clear-EventLog or truncate in the command line.
Scenario: Security Tool Log Purge (e.g., CrowdStrike, Palo Alto, Fortinet)
Description: A security tool performs a log purge as part of its maintenance or storage optimization.
Filter/Exclusion: Exclude events where the source is a security tool (e.g., CrowdStrike, Palo Alto, Fortinet) and the action is related to log purging or retention policy enforcement.
Scenario: Automated Log Archiving by SIEM (e.g., QRadar, IBM Guardium)