{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/host-activity/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","host-activity","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying instances where an attempt to clear Windows event logs via the Windows Management Instrumentation (WMI) \u003ccode\u003eNTEventLogFile ClearEventLog\u003c/code\u003e method fails. Such failures are recorded as \u003ccode\u003eEventID 5858\u003c/code\u003e within the \u003ccode\u003eWMI-Activity\u003c/code\u003e operational log. This event is specifically generated when the WMI operation encounters an error, such as access denied due to insufficient privileges or a provider failure. While this event indicates a failed action, it is a strong indicator that an attacker has attempted to impair defenses by removing forensic evidence. Successful event log clearing operations do \u003cem\u003enot\u003c/em\u003e generate \u003ccode\u003eEventID 5858\u003c/code\u003e and would instead typically correlate with \u003ccode\u003eSecurity event 1102\u003c/code\u003e or \u003ccode\u003eSystem event 104\u003c/code\u003e for successful clearance. Detecting these failed attempts can provide an early warning of adversary activity before successful obfuscation occurs.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attempt to clear event logs can significantly hamper forensic investigations and incident response efforts by removing crucial evidence of malicious activity, including initial access, privilege escalation, and lateral movement. While this brief focuses on \u003cem\u003efailed\u003c/em\u003e attempts, the fact that such an attempt occurred signifies an adversary's intent to impair system defenses. If these attempts were to succeed, organizations could face prolonged undetected breaches, making attribution and recovery exceedingly difficult, potentially leading to significant data exfiltration, system compromise, or financial losses without a clear audit trail.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Failed Event Log Clear Via WMI NTEventLogFile ClearEventLog\u0026quot; to your SIEM system to identify failed attempts to clear event logs.\u003c/li\u003e\n\u003cli\u003eEnsure that \u003ccode\u003eWMI-Activity\u003c/code\u003e operational logs are enabled, collected, and ingested into your SIEM, as this is the log source for \u003ccode\u003eEventID 5858\u003c/code\u003e used by the rule.\u003c/li\u003e\n\u003cli\u003eReview alerts generated by this rule to investigate the source process attempting the \u003ccode\u003eClearEventLog\u003c/code\u003e method, determine if the activity was legitimate (e.g., misconfigured admin script), and adjust permissions if necessary or escalate as a security incident.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T23:27:12Z","date_published":"2026-07-08T23:27:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-failed-wmi-eventlog-clear/","summary":"This brief details the detection of failed attempts by an adversary to clear Windows event logs using the WMI `ClearEventLog` method, indicating an unsuccessful defense impairment action due to insufficient privileges or other issues.","title":"Detection of Failed WMI Event Log Clear Attempts","url":"https://feed.craftedsignal.io/briefs/2026-07-failed-wmi-eventlog-clear/"}],"language":"en","title":"CraftedSignal Threat Feed - Host-Activity","version":"https://jsonfeed.org/version/1.1"}