Added new technique: wevtutil.exe

[tonmoy0010]

Added a new technique utilizing Wevtutil.exe, a Windows command-line utility for managing event logs. This binary can be exploited by attackers to enumerate, clear, and manipulate event logs, making it useful for evading detection or gathering information about the system. Included details on its legitimate use, potential abuse scenarios, and detection methods.

As published on:
Twitter - https://x.com/tonmoy0010/status/1860963760774713805
Blog - https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/

[wietze]

Hey @tonmoy0010 , hope you are doing well! Thank you for taking the time to create a submission to the LOLBAS Project - we really value the community's input.

According to the LOLBAS Criteria, each binary/script must have 'unexpected' capabilities. From what I can see, the functionality you list is 'expected' for the executable.

That doesn't mean the functionality you documented is not useful for e.g. red teamers (on the contrary, as the blog/tweet you reference show), but if my assessment is right, this entry would unfortunately not be the right fit for this project. For that reason I'm closing this pull request now, if you think I'm wrong though please comment in here and I'll reopen the pull request.