From 0986609c4b4dfa2bb31529e7b638094810709076 Mon Sep 17 00:00:00 2001
From: Tonmoy Jitu <tonmoy@Tonmoys-MacBook-Pro.local>
Date: Mon, 25 Nov 2024 20:01:51 +1100
Subject: [PATCH] Added new technique: wevtutil.exe

---
 yml/OSBinaries/Wevtutil.yml | 43 +++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 yml/OSBinaries/Wevtutil.yml

diff --git a/yml/OSBinaries/Wevtutil.yml b/yml/OSBinaries/Wevtutil.yml
new file mode 100644
index 0000000..ce39193
--- /dev/null
+++ b/yml/OSBinaries/Wevtutil.yml
@@ -0,0 +1,43 @@
+---
+Name: Wevtutil.exe
+Description: Wevtutil.exe is a built-in Windows utility for managing event logs. It allows querying, exporting, clearing, and configuring event logs, making it a versatile tool for system administrators. However, its capabilities can be abused by attackers to evade detection by selectively clearing or manipulating logs.
+Author: Tonmoy Jitu
+Created: 2024-11-25
+Commands:
+  - Command: wevtutil cl Application
+    Description: Used to erase evidence of malicious activity or cleanup post-exploitation traces in application logs.
+    Usecase: Clears all entries from the Application event log.
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1070
+    OperatingSystem: Windows Vista and later
+  - Command: wevtutil qe Security /q:"*[System[EventID=4624]]" /f:text
+    Description: Queries the Security log for specific events (e.g., Event ID 4624) and outputs results in text format.
+    Usecase: Used to extract relevant log details to analyze or selectively target events before log clearing.
+    Category: Reconnaissance
+    Privileges: User (Event Log Reader)
+    MitreID: T1218
+    OperatingSystem: Windows Vista and later
+  - Command: wevtutil qe Security /f:xml > exported_logs.xml
+    Description: Queries the Security event log and exports its contents in XML format to a file.
+    Usecase: sed to exfiltrate Security log data for analysis. The XML format allows attackers to parse and extract detailed information about audit events, user activity, or security configurations.
+    Category: Dump
+    Privileges: Administrator
+    MitreID: T1005
+    OperatingSystem: Windows Vista and later
+Full_Path:
+  - Path: C:\Windows\System32\wevtutil.exe
+  - Path: C:\Windows\SysWOW64\wevtutil.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC: Use of wevtutil cl in command-line logs.
+  - IOC: Multiple wevtutil qe commands targeting specific Event IDs.
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
+  - Splunk: https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_a_ransomware_attack/Wevtutil.exe_abuse
+Resources:
+  - Link: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/ 
+  - Link: https://x.com/tonmoy0010/status/1860963760774713805
+Acknowledgement:
+  - Person: Tonmoy Jitu
+    Handle: '@tonmoy0010'
\ No newline at end of file