{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/event-logs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","event-logs"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eAttackers may attempt to clear Windows event logs to evade detection and hinder forensic investigations. Clearing logs removes evidence of malicious activity, making it difficult to trace attacker actions and understand the scope of a compromise. This activity is often performed after other malicious actions to remove traces of those actions. The tool \u003ccode\u003ewevtutil.exe\u003c/code\u003e, a legitimate Windows utility, can be used to clear event logs when invoked with the \u003ccode\u003eclear-log\u003c/code\u003e parameter. Detecting the use of \u003ccode\u003ewevtutil.exe\u003c/code\u003e with this parameter can indicate an attempt to cover tracks after malicious activities. This behavior is significant because it can prevent defenders from fully understanding the attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through unspecified means (e.g., exploiting a vulnerability or through phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to perform reconnaissance and privilege escalation.\u003c/li\u003e\n\u003cli\u003eAfter achieving desired privileges and completing their objectives, the attacker uses \u003ccode\u003ewevtutil.exe\u003c/code\u003e to clear specific event logs.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewevtutil.exe\u003c/code\u003e with the \u003ccode\u003eclear-log\u003c/code\u003e parameter, specifying the log to clear (e.g., Security, Application, System). For example: \u003ccode\u003ewevtutil cl Security\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe command execution is logged by endpoint detection and response (EDR) agents, capturing the process name (\u003ccode\u003ewevtutil.exe\u003c/code\u003e) and command-line arguments (\u003ccode\u003eclear-log\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWindows Event Logs, such as the Security log, are cleared of their contents, removing entries related to the attacker\u0026rsquo;s activities.\u003c/li\u003e\n\u003cli\u003eForensic investigations are hampered due to missing event log data, making it difficult to trace the attacker\u0026rsquo;s actions and understand the full scope of the compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful clearing of event logs can significantly impede incident response efforts. By removing evidence of their actions, attackers can prolong their presence in the compromised environment and make it more difficult to identify the extent of the damage. In cases of ransomware attacks, this could delay recovery efforts and increase the overall impact. The detection is based on data that originates from Endpoint Detection and Response (EDR) agents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging, specifically Sysmon Event ID 1 or Windows Event Log Security 4688, to capture \u003ccode\u003ewevtutil.exe\u003c/code\u003e executions.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect the execution of \u003ccode\u003ewevtutil.exe\u003c/code\u003e with the \u003ccode\u003eclear-log\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003ewevtutil.exe\u003c/code\u003e being used to clear logs, as this could indicate malicious activity.\u003c/li\u003e\n\u003cli\u003eTune the Sigma rules for false positives based on legitimate administrator usage of \u003ccode\u003ewevtutil.exe\u003c/code\u003e in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-windows-eventlog-cleared-wevtutil/","summary":"Adversaries may clear Windows event logs using `wevtutil.exe` to remove evidence of their activity and hinder forensic investigations.","title":"Windows Eventlog Cleared Via Wevtutil","url":"https://feed.craftedsignal.io/briefs/2024-01-windows-eventlog-cleared-wevtutil/"}],"language":"en","title":"CraftedSignal Threat Feed — Event-Logs","version":"https://jsonfeed.org/version/1.1"}