The security operations team at a mid-sized financial services firm has raised a detection gap review following a recent red team engagement. During the exercise, the red team successfully cleared Windows event logs on three compromised hosts, System, and Application
logs using a combination of native Windows utilities, PowerShell cmdlets, and WMI, without triggering a single alert. Post-engagement analysis confirmed that the organization had no detection coverage for MITRE ATT&CK T1070.001 (Indicator Removal: Clear Windows Event Logs),
leaving a critical blind spot in their defensive posture.
As the assigned detection engineer, your mission is to close that gap by researching the technique in depth, identifying every relevant data source and attacker method, and building validated Sigma rules that would have
caught each stage of the red team's activity.
The lab will take you through two phases. The first phase Technique Research covers the native Windows binaries, WMI classes, PowerShell cmdlets, and .NET API methods that attackers use to clear event logs, as well as the built-in Windows audit events that are generated as a
direct result of clearing activity. The second phase Rule Development tasks you with building three Sigma rules targeting different detection layers: PowerShell Script Block Logging, process creation telemetry, and native Windows audit events. Each rule is validated against a corpus of
historical EVTX artifacts using Chainsaw to confirm it detects real activity.