public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-29 08:17:51 +01:00
Code Issues Projects Releases Wiki Activity
72aedc48da
LOLBAS/yml/OSBinaries/Wevtutil.yml
Tonmoy Jitu 72aedc48da
added more reference and contribution
2024-12-02 23:56:02 +11:00

48 lines
2.5 KiB
YAML
Raw Blame History

---
Name: Wevtutil.exe
Description: Wevtutil.exe is a built-in Windows utility for managing event logs. It allows querying, exporting, clearing, and configuring event logs, making it a versatile tool for system administrators. However, its capabilities can be abused by attackers to evade detection by selectively clearing or manipulating logs.
Author: Tonmoy Jitu
Created: 2024-11-25
Commands:
- Command: wevtutil cl Application
Description: Used to erase evidence of malicious activity or cleanup post-exploitation traces in application logs.
Usecase: Clears all entries from the Application event log.
Category: Dump
Privileges: Administrator
MitreID: T1070
OperatingSystem: Windows Vista and later
- Command: wevtutil qe Security /q:"*[System[EventID=4624]]" /f:text
Description: Queries the Security log for specific events (e.g., Event ID 4624) and outputs results in text format.
Usecase: Used to extract relevant log details to analyze or selectively target events before log clearing.
Category: Reconnaissance
Privileges: User (Event Log Reader)
MitreID: T1218
OperatingSystem: Windows Vista and later
- Command: wevtutil qe Security /f:xml > exported_logs.xml
Description: Queries the Security event log and exports its contents in XML format to a file.
Usecase: Used to exfiltrate Security log data for analysis. The XML format allows attackers to parse and extract detailed information about audit events, user activity, or security configurations.
Category: Dump
Privileges: Administrator
MitreID: T1005
OperatingSystem: Windows Vista and later
Full_Path:
- Path: C:\Windows\System32\wevtutil.exe
- Path: C:\Windows\SysWOW64\wevtutil.exe
Code_Sample:
- Code: https://example.com/sample-code
Detection:
- IOC: Use of wevtutil cl in command-line logs.
- IOC: Multiple wevtutil qe commands targeting specific Event IDs.
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
- Splunk: https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_a_ransomware_attack/Wevtutil.exe_abuse
Resources:
- Link: https://www.reddit.com/r/ThreathuntingDFIR/comments/1b625v8/wevtutil_dumping_logs_without_powershell/
- Link: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/
- Link: https://x.com/tonmoy0010/status/1860963760774713805
- Link: https://attack.mitre.org/software/S0645/
Acknowledgement:
- Person: Tonmoy Jitu
Handle: '@tonmoy0010'
- Person: Secret Guy
Handle: 'GoranLind'
Reference in New Issue View Git Blame Copy Permalink