Clearing Event Log with wevtapi functions (#1006)

* Added related wevtapi functions

* Update clear-windows-event-logs.yml

* Update clear-windows-event-logs.yml

* Create clear-windows-event-logs-remotely.yml

* Update clear-windows-event-logs-remotely.yml

* Update clear-windows-event-logs-remotely.yml

* Update clear-windows-event-logs-remotely.yml

* Revert "Update clear-windows-event-logs-remotely.yml"

This reverts commit 97b5730.

* Update clear-windows-event-logs-remotely.yml

* Update clear-windows-event-logs-remotely.yml

---------

Co-authored-by: Elad Levi <[email protected]>

Author: JakePeralta7

anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs-remotely.yml

@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: clear Windows event logs remotely
+    namespace: anti-analysis/anti-forensic/clear-logs
+    authors:
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001]
+    references:
+      - https://github.com/getel-arch/ClearLogsRemotely
+    examples:
+      - 4f509bdfe5a2fe4320cdc070eedc0a72e12cc08f43d60a7701305b3d1408102b:0x1400014de
+  features:
+    - and:
+      - api: wevtapi.EvtOpenSession
+      - api: wevtapi.EvtOpenLog
+      - api: wevtapi.EvtClearLog

anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml

@@ -20,9 +20,12 @@ rule:
           - or:
             - api: advapi32.ElfClearEventLogFile
             - api: advapi32.ClearEventLog
+            - api: wevtapi.EvtClearLog
           - optional:
             - api: advapi32.OpenEventLog
             - api: advapi32.GetNumberOfEventLogRecords
+            - api: wevtapi.EvtOpenLog
+            - api: wevtapi.EvtOpenSession
         - basic block:
           - and:
             - string: /wevtutil(\.exe)?\s+(clear-log|cl)/i