Event Log Manipulation Using Wevtutil

calendar Nov 22, 2022 · attack.defense_evasion attack.t1070 attack.g0092  ·
Share on: linkedin copy

Detects the use of wevtutil to clear or otherwise manipulate Windows event logs.

Sigma rule (View on GitHub)

 1title: Event Log Manipulation Using Wevtutil
 2id: 4d71069b-dda7-4df7-b835-1f23dd212615
 3status: experimental
 4description: Detects the use of wevtutil to clear or otherwise manipulate Windows event logs.
 5references:
 6    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
 7author: Micah Babinski
 8date: 2022/11/22
 9tags:
10    - attack.defense_evasion
11    - attack.t1070
12    - attack.g0092
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_exe:
18        Image|endswith: '\wevtutil.exe'
19    selection_clear:
20        CommandLine|contains:
21            - ' cl '
22            - 'clear-log'
23    selection_set:
24        CommandLine|contains:
25            - ' sl '
26            - 'set-log'
27    selection_set_flags:
28        CommandLine|contains|windash: 
29            - '/e:false'
30            - '/ms:'
31    condition: selection_exe and (selection_clear or (selection_set and selection_set_flags))
32falsepositives:
33    - Unknown
34level: high```

References

  • #StopRansomware: Hive Ransomware | CISA

    Summary Actions to Take Today to Mitigate Cyber Threats from Ransomware: • Prioritize remediating known exploited vulnerabilities. • Enable and enforce multifactor authentication with strong passwo...


    Read More

Related rules

to-top