Attack Chain

1. Initial access is gained through unspecified means (e.g., exploiting a vulnerability or through phishing).
2. The attacker executes commands to perform reconnaissance and privilege escalation.
3. After achieving desired privileges and completing their objectives, the attacker uses wevtutil.exe to clear specific event logs.
4. The attacker executes wevtutil.exe with the clear-log parameter, specifying the log to clear (e.g., Security, Application, System). For example: wevtutil cl Security.
5. The command execution is logged by endpoint detection and response (EDR) agents, capturing the process name (wevtutil.exe) and command-line arguments (clear-log).
6. Windows Event Logs, such as the Security log, are cleared of their contents, removing entries related to the attacker’s activities.
7. Forensic investigations are hampered due to missing event log data, making it difficult to trace the attacker’s actions and understand the full scope of the compromise.

Impact

Successful clearing of event logs can significantly impede incident response efforts. By removing evidence of their actions, attackers can prolong their presence in the compromised environment and make it more difficult to identify the extent of the damage. In cases of ransomware attacks, this could delay recovery efforts and increase the overall impact. The detection is based on data that originates from Endpoint Detection and Response (EDR) agents.

Recommendation

• Enable process creation logging, specifically Sysmon Event ID 1 or Windows Event Log Security 4688, to capture wevtutil.exe executions.
• Deploy the provided Sigma rules to your SIEM to detect the execution of wevtutil.exe with the clear-log parameter.
• Investigate any detected instances of wevtutil.exe being used to clear logs, as this could indicate malicious activity.
• Tune the Sigma rules for false positives based on legitimate administrator usage of wevtutil.exe in your environment.