diff --git a/yml/OSBinaries/wevtutil.yml b/yml/OSBinaries/wevtutil.yml new file mode 100644 index 00000000..6383f0e6 --- /dev/null +++ b/yml/OSBinaries/wevtutil.yml @@ -0,0 +1,32 @@ +--- +Name: wevtutil.exe +Description: Windows binary to allow you to interact and preform actions(like stopping records or clearing) on logs within the windows local and remote host +Author: Abdul Mhanni +Created: 2025-03-23 +Commands: + - Command: WevtUtil.exe clear-log "log name" + Description: Clearing the specified log, note is case sensitive and must be in quotation marks. All logs present can be retrived via wevtutil.exe el + Usecase: You can use wevtutil to clear any log on a local or remote host(using /r). For remote host you can use NTLM for authentication as well as Username/Password + Category: Execute + Privileges: Local Administrator + MitreID: T1070 + OperatingSystem: Windows vista and Up + - Command: wevtutil set-log "Microsoft-Windows-PowerShell/Operational" /e:false + Description: Setting the Microsoft-Windows-PowerShell/Operational log to false and thus stopping new events from being written to it + Usecase: Disable logging while you preform potentially noisy actions and want to reduce the chance of detection and then re-enable when done using /e:true + Category: Execute + Privileges: Local Administrator + MitreID: T1070 + OperatingSystem: Windows vista and Up +Full_Path: + - Path: C:\Windows\System32\wevtutil.exe +Detection: + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml + - Elastic: https://www.elastic.co/guide/en/security/current/clearing-windows-event-logs.html + - Splunk: https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_a_ransomware_attack/Wevtutil.exe_abuse +Resources: + - Link: https://ss64.com/nt/wevtutil.html + - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +Acknowledgement: + - Person: Abdul Mhanni + Handle: