-
Notifications
You must be signed in to change notification settings - Fork 1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Tonmoy Jitu
authored and
Tonmoy Jitu
committed
Nov 25, 2024
1 parent
baaa5bb
commit 0986609
Showing
1 changed file
with
43 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| --- | ||
| Name: Wevtutil.exe | ||
| Description: Wevtutil.exe is a built-in Windows utility for managing event logs. It allows querying, exporting, clearing, and configuring event logs, making it a versatile tool for system administrators. However, its capabilities can be abused by attackers to evade detection by selectively clearing or manipulating logs. | ||
| Author: Tonmoy Jitu | ||
| Created: 2024-11-25 | ||
| Commands: | ||
| - Command: wevtutil cl Application | ||
| Description: Used to erase evidence of malicious activity or cleanup post-exploitation traces in application logs. | ||
| Usecase: Clears all entries from the Application event log. | ||
| Category: Dump | ||
| Privileges: Administrator | ||
| MitreID: T1070 | ||
| OperatingSystem: Windows Vista and later | ||
| - Command: wevtutil qe Security /q:"*[System[EventID=4624]]" /f:text | ||
| Description: Queries the Security log for specific events (e.g., Event ID 4624) and outputs results in text format. | ||
| Usecase: Used to extract relevant log details to analyze or selectively target events before log clearing. | ||
| Category: Reconnaissance | ||
| Privileges: User (Event Log Reader) | ||
| MitreID: T1218 | ||
| OperatingSystem: Windows Vista and later | ||
| - Command: wevtutil qe Security /f:xml > exported_logs.xml | ||
| Description: Queries the Security event log and exports its contents in XML format to a file. | ||
| Usecase: sed to exfiltrate Security log data for analysis. The XML format allows attackers to parse and extract detailed information about audit events, user activity, or security configurations. | ||
| Category: Dump | ||
| Privileges: Administrator | ||
| MitreID: T1005 | ||
| OperatingSystem: Windows Vista and later | ||
| Full_Path: | ||
| - Path: C:\Windows\System32\wevtutil.exe | ||
| - Path: C:\Windows\SysWOW64\wevtutil.exe | ||
| Code_Sample: | ||
| - Code: | ||
| Detection: | ||
| - IOC: Use of wevtutil cl in command-line logs. | ||
| - IOC: Multiple wevtutil qe commands targeting specific Event IDs. | ||
| - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml | ||
| - Splunk: https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_a_ransomware_attack/Wevtutil.exe_abuse | ||
| Resources: | ||
| - Link: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/ | ||
| - Link: https://x.com/tonmoy0010/status/1860963760774713805 | ||
| Acknowledgement: | ||
| - Person: Tonmoy Jitu | ||
| Handle: '@tonmoy0010' |