Skip to content

Add wevtutil.exe as a LOLBin for log clearing, export, and AV/EDR bypass #457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
frknclk34 wants to merge 2 commits into from
Closed

Add wevtutil.exe as a LOLBin for log clearing, export, and AV/EDR bypass #457

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f1d2caa
Add wevtutil.exe as a LOLBin for log clearing, export, and AV/EDR bypass
Aug 22, 2025
a9f4eae
Move wevtutil.yml to yml/ and fix syntax
frknclk34 Aug 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions yml/OSBinaries/wevtutil.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
Name: wevtutil.exe
Description: Windows command-line utility to manage event logs.
Author: Furkan Celik, Pure7
Created: 2025-08-22
Commands:
- Command: wevtutil.exe cl Security
Description: Clears the Security event log using wevtutil.exe.
Usecase: Remove event logs to evade detection, bypassing AV/EDR/SIEM logging, or remove indicators of compromise through legitimate signed binary execution.
Category: Anti-Forensics
Privileges: Admin
MitreID: T1070
OperatingSystem: Windows 10, Windows 11
- Command: wevtutil.exe cl Security
Description: Clears the Security event log, evading defenses by using a signed Microsoft binary.
Usecase: Remove indicators of compromise while evading AV/EDR detection.
Category: AWL Bypass
Privileges: Admin
MitreID: T1218
OperatingSystem: Windows 10, Windows 11
- Command: wevtutil.exe epl Security malicious.evtx
Description: Exports the Security event log to a malicious.evtx file using wevtutil.exe.
Usecase: Extract sensitive security events or create a backup for log manipulation, bypassing AV/EDR/SIEM logging.
Category: Collection
Privileges: Admin
MitreID: T1005
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\wevtutil.exe
- Path: C:\Windows\SysWOW64\wevtutil.exe
Detection:
- IOC: wevtutil.exe clearing event logs (e.g., cl parameter)
- IOC: wevtutil.exe exporting logs to unexpected .evtx files
- IOC: Event ID 1 with Image: wevtutil.exe and CommandLine: *cl*
- IOC: Event ID 1 with Image: wevtutil.exe and CommandLine: *epl* and CommandLine: *Security* and CommandLine: *.evtx*
- IOC: Event ID 4688 with New Process Name: wevtutil.exe and Process Command Line: *cl*
- IOC: Event ID 4688 with New Process Name: wevtutil.exe and Process Command Line: *epl* and Process Command Line: *Security* and Process Command Line: *.evtx*
- Sigma: https://github.com/frknclk34/SigmaRule/blob/main/Suspicious%20Windows%20Event%20Log%20Manipulation%20via%20Wevtutil
Resources:
- Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
Acknowledgement:
- Person: Furkan Celik
Handle: '@fkrnclk34'
- Person: Bogac Kaya
Handle: '@bogackaya'
Loading