Event Log Manipulation Using Wevtutil
Detects the use of wevtutil to clear or otherwise manipulate Windows event logs.
Sigma rule (View on GitHub)
1title: Event Log Manipulation Using Wevtutil
2id: 4d71069b-dda7-4df7-b835-1f23dd212615
3status: experimental
4description: Detects the use of wevtutil to clear or otherwise manipulate Windows event logs.
5references:
6 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
7author: Micah Babinski
8date: 2022/11/22
9tags:
10 - attack.defense_evasion
11 - attack.t1070
12 - attack.g0092
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_exe:
18 Image|endswith: '\wevtutil.exe'
19 selection_clear:
20 CommandLine|contains:
21 - ' cl '
22 - 'clear-log'
23 selection_set:
24 CommandLine|contains:
25 - ' sl '
26 - 'set-log'
27 selection_set_flags:
28 CommandLine|contains|windash:
29 - '/e:false'
30 - '/ms:'
31 condition: selection_exe and (selection_clear or (selection_set and selection_set_flags))
32falsepositives:
33 - Unknown
34level: high```
References
-
Summary Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware...
Read More
Related rules
- Boot Configuration Database (BCD) Manipulation - Registry Modification
- Use of bcdedit to Disrupt Boot Processes
- Malicious QakBot Dropped File Creation (Sysmon)
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components