LOLBAS-Project · ThatTotallyRealMyth · Mar 23, 2025 · Mar 23, 2025 · Mar 23, 2025 · Mar 23, 2025
@@ -0,0 +1,32 @@
+---
+Name: wevtutil.exe
+Description: Windows binary to allow you to interact and preform actions(like stopping records or clearing) on logs within the windows local and remote host
+Author: Abdul Mhanni
+Created: 2025-03-23
+Commands:
+  - Command: WevtUtil.exe clear-log "log name"
+    Description: Clearing the specified log, note is case sensitive and must be in quotation marks. All logs present can be retrived via wevtutil.exe el
+    Usecase: You can use wevtutil to clear any log on a local or remote host(using /r). For remote host you can use NTLM for authentication as well as Username/Password
+    Category: Execute
+    Privileges: Local Administrator
+    MitreID: T1070
+    OperatingSystem: Windows vista and Up
+  - Command: wevtutil set-log "Microsoft-Windows-PowerShell/Operational" /e:false
+    Description: Setting the Microsoft-Windows-PowerShell/Operational log to false and thus stopping new events from being written to it
+    Usecase: Disable logging while you preform potentially noisy actions and want to reduce the chance of detection and then re-enable when done using /e:true
+    Category: Execute
+    Privileges: Local Administrator
+    MitreID: T1070
+    OperatingSystem: Windows vista and Up
+Full_Path:
+  - Path: C:\Windows\System32\wevtutil.exe
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
+  - Elastic: https://www.elastic.co/guide/en/security/current/clearing-windows-event-logs.html
+  - Splunk: https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_a_ransomware_attack/Wevtutil.exe_abuse
+Resources:
+  - Link: https://ss64.com/nt/wevtutil.html
+  - Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
+Acknowledgement:
+  - Person: Abdul Mhanni
+    Handle: