LOLBAS/yml/OSBinaries/Wevtutil.yml

---
Name: Wevtutil.exe
Description: Wevtutil.exe is a built-in Windows utility for managing event logs. It allows querying, exporting, clearing, and configuring event logs, making it a versatile tool for system administrators. However, its capabilities can be abused by attackers to evade detection by selectively clearing or manipulating logs.
Author: Tonmoy Jitu
Created: 2024-11-25
Commands:
  - Command: wevtutil cl Application
    Description: Used to erase evidence of malicious activity or cleanup post-exploitation traces in application logs.
    Usecase: Clears all entries from the Application event log.
    Category: Dump
    Privileges: Administrator
    MitreID: T1070
    OperatingSystem: Windows Vista and later
  - Command: wevtutil qe Security /q:"*[System[EventID=4624]]" /f:text
    Description: Queries the Security log for specific events (e.g., Event ID 4624) and outputs results in text format.
    Usecase: Used to extract relevant log details to analyze or selectively target events before log clearing.
    Category: Reconnaissance
    Privileges: User (Event Log Reader)
    MitreID: T1218
    OperatingSystem: Windows Vista and later
  - Command: wevtutil qe Security /f:xml > exported_logs.xml
    Description: Queries the Security event log and exports its contents in XML format to a file.
    Usecase: Used to exfiltrate Security log data for analysis. The XML format allows attackers to parse and extract detailed information about audit events, user activity, or security configurations.
    Category: Dump
    Privileges: Administrator
    MitreID: T1005
    OperatingSystem: Windows Vista and later
Full_Path:
  - Path: C:\Windows\System32\wevtutil.exe
  - Path: C:\Windows\SysWOW64\wevtutil.exe
Code_Sample:
  - Code: https://example.com/sample-code
Detection:
  - IOC: Use of wevtutil cl in command-line logs.
  - IOC: Multiple wevtutil qe commands targeting specific Event IDs.
  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
  - Splunk: https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_a_ransomware_attack/Wevtutil.exe_abuse
Resources:
  - Link: https://www.reddit.com/r/ThreathuntingDFIR/comments/1b625v8/wevtutil_dumping_logs_without_powershell/
  - Link: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/
  - Link: https://x.com/tonmoy0010/status/1860963760774713805
  - Link: https://attack.mitre.org/software/S0645/
Acknowledgement:
  - Person: Tonmoy Jitu
    Handle: '@tonmoy0010'
  - Person: Secret Guy
    Handle: 'GoranLind'
Added new technique: wevtutil.exe 2024-11-25 10:01:51 +01:00			`---`
			`Name: Wevtutil.exe`
			`Description: Wevtutil.exe is a built-in Windows utility for managing event logs. It allows querying, exporting, clearing, and configuring event logs, making it a versatile tool for system administrators. However, its capabilities can be abused by attackers to evade detection by selectively clearing or manipulating logs.`
			`Author: Tonmoy Jitu`
			`Created: 2024-11-25`
			`Commands:`
			`- Command: wevtutil cl Application`
			`Description: Used to erase evidence of malicious activity or cleanup post-exploitation traces in application logs.`
			`Usecase: Clears all entries from the Application event log.`
			`Category: Dump`
			`Privileges: Administrator`
			`MitreID: T1070`
			`OperatingSystem: Windows Vista and later`
			`- Command: wevtutil qe Security /q:"*[System[EventID=4624]]" /f:text`
			`Description: Queries the Security log for specific events (e.g., Event ID 4624) and outputs results in text format.`
			`Usecase: Used to extract relevant log details to analyze or selectively target events before log clearing.`
			`Category: Reconnaissance`
			`Privileges: User (Event Log Reader)`
			`MitreID: T1218`
			`OperatingSystem: Windows Vista and later`
			`- Command: wevtutil qe Security /f:xml > exported_logs.xml`
			`Description: Queries the Security event log and exports its contents in XML format to a file.`
Fix formatting issues 2024-11-25 10:17:04 +01:00			`Usecase: Used to exfiltrate Security log data for analysis. The XML format allows attackers to parse and extract detailed information about audit events, user activity, or security configurations.`
Added new technique: wevtutil.exe 2024-11-25 10:01:51 +01:00			`Category: Dump`
			`Privileges: Administrator`
			`MitreID: T1005`
			`OperatingSystem: Windows Vista and later`
			`Full_Path:`
			`- Path: C:\Windows\System32\wevtutil.exe`
			`- Path: C:\Windows\SysWOW64\wevtutil.exe`
			`Code_Sample:`
Fix formatting issues 2024-11-25 10:17:04 +01:00			`- Code: https://example.com/sample-code`
Added new technique: wevtutil.exe 2024-11-25 10:01:51 +01:00			`Detection:`
			`- IOC: Use of wevtutil cl in command-line logs.`
			`- IOC: Multiple wevtutil qe commands targeting specific Event IDs.`
			`- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml`
			`- Splunk: https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_a_ransomware_attack/Wevtutil.exe_abuse`
			`Resources:`
added more reference and contribution 2024-12-02 13:56:02 +01:00			`- Link: https://www.reddit.com/r/ThreathuntingDFIR/comments/1b625v8/wevtutil_dumping_logs_without_powershell/`
Fix formatting issues 2024-11-25 10:17:04 +01:00			`- Link: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/`
Added new technique: wevtutil.exe 2024-11-25 10:01:51 +01:00			`- Link: https://x.com/tonmoy0010/status/1860963760774713805`
added more reference and contribution 2024-12-02 13:56:02 +01:00			`- Link: https://attack.mitre.org/software/S0645/`
Added new technique: wevtutil.exe 2024-11-25 10:01:51 +01:00			`Acknowledgement:`
			`- Person: Tonmoy Jitu`
Fix formatting issues 2024-11-25 10:17:04 +01:00			`Handle: '@tonmoy0010'`
added more reference and contribution 2024-12-02 13:56:02 +01:00			`- Person: Secret Guy`
			`Handle: 'GoranLind'`