Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added new technique: wevtutil.exe #411

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions yml/OSBinaries/Wevtutil.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
Name: Wevtutil.exe
Description: Wevtutil.exe is a built-in Windows utility for managing event logs. It allows querying, exporting, clearing, and configuring event logs, making it a versatile tool for system administrators. However, its capabilities can be abused by attackers to evade detection by selectively clearing or manipulating logs.
Author: Tonmoy Jitu
Created: 2024-11-25
Commands:
- Command: wevtutil cl Application
Description: Used to erase evidence of malicious activity or cleanup post-exploitation traces in application logs.
Usecase: Clears all entries from the Application event log.
Category: Dump
Privileges: Administrator
MitreID: T1070
OperatingSystem: Windows Vista and later
- Command: wevtutil qe Security /q:"*[System[EventID=4624]]" /f:text
Description: Queries the Security log for specific events (e.g., Event ID 4624) and outputs results in text format.
Usecase: Used to extract relevant log details to analyze or selectively target events before log clearing.
Category: Reconnaissance
Privileges: User (Event Log Reader)
MitreID: T1218
OperatingSystem: Windows Vista and later
- Command: wevtutil qe Security /f:xml > exported_logs.xml
Description: Queries the Security event log and exports its contents in XML format to a file.
Usecase: Used to exfiltrate Security log data for analysis. The XML format allows attackers to parse and extract detailed information about audit events, user activity, or security configurations.
Category: Dump
Privileges: Administrator
MitreID: T1005
OperatingSystem: Windows Vista and later
Full_Path:
- Path: C:\Windows\System32\wevtutil.exe
- Path: C:\Windows\SysWOW64\wevtutil.exe
Detection:
- IOC: Use of wevtutil cl in command-line logs.
- IOC: Multiple wevtutil qe commands targeting specific Event IDs.
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
- Splunk: https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_a_ransomware_attack/Wevtutil.exe_abuse
Resources:
- Link: https://www.reddit.com/r/ThreathuntingDFIR/comments/1b625v8/wevtutil_dumping_logs_without_powershell/
- Link: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/
- Link: https://x.com/tonmoy0010/status/1860963760774713805
- Link: https://attack.mitre.org/software/S0645/
Acknowledgement:
- Person: Tonmoy Jitu
Handle: '@tonmoy0010'
- Person: Secret Guy
Handle: '@GoranLind'
Loading