Detect Log Clearing With wevtutil

Description

This use case looks for the wevutil process clearing the Windows Audit Logs


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Indicator Removal on Host

MITRE Threat Groups

APT28
APT29
APT32
APT38
APT41
Dragonfly 2.0
FIN5
FIN8

Kill Chain Phases

Actions on Objectives

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

This use case requires Sysmon to be installed on the endpoints you wish to monitor and the Sysmon add-on installed on your forwarders and search heads.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will want to verify with the owner of the account responsible for clearing the Windows Logs that it was a legitimate action taken on their part.

   Help

Detect Log Clearing With wevtutil Help

This use case looks for the wevutil process clearing the Windows Audit Logs

SPL for Detect Log Clearing With wevtutil

Demo Data

First we load our basic demo data
Next we look for any instances of wevtutil being launched (EventCode 1 indicates a process launch), and filter to make sure our suspicious fields are in the CommandLine string.
Then we put the data into a table because that's the easiest thing to use.

Live Data

First we load our Sysmon EDR data. We look for any instances of wevtutil being launched (EventCode 1 indicates a process launch), and filter to make sure our suspicious fields are in the CommandLine string.
Then we put the data into a table because that's the easiest thing to use.