{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/log-manipulation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","log-manipulation"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThe following analytic detects the suspicious usage of \u003ccode\u003ewevtutil.exe\u003c/code\u003e to clear Windows event logs, including critical logs like Application, Security, Setup, Trace, and System. This behavior is often associated with threat actors attempting to remove evidence of their activities, thereby hindering incident response and forensic analysis. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a system through various means (e.g., phishing, exploiting vulnerabilities).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker elevates privileges to gain the necessary permissions to manipulate event logs.\u003c/li\u003e\n\u003cli\u003eCredential Access: The attacker attempts to obtain valid credentials.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker uses \u003ccode\u003ewevtutil.exe\u003c/code\u003e with specific parameters to clear security, application, system, or other event logs. The command line includes arguments such as \u0026ldquo;cl\u0026rdquo; or \u0026ldquo;clear-log\u0026rdquo; followed by the name of the log to clear (e.g., \u003ccode\u003ewevtutil cl Security\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may establish persistence mechanisms to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker moves laterally to other systems within the network, repeating the steps of privilege escalation and log clearing.\u003c/li\u003e\n\u003cli\u003eExfiltration/Impact: Depending on the attacker\u0026rsquo;s objectives, they may exfiltrate sensitive data or cause damage to the system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful clearing of event logs can severely impair an organization\u0026rsquo;s ability to detect and respond to security incidents. This can lead to delayed detection of breaches, increased dwell time for attackers, and difficulty in understanding the full extent of a compromise. The loss of log data can also hinder compliance efforts and legal investigations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Wevtutil Usage\u003c/code\u003e to your SIEM and tune for your environment to detect the clearing of event logs using \u003ccode\u003ewevtutil.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) and Windows Event Log Security logging (Event ID 4688) to ensure the necessary data is available for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003ewevtutil.exe\u003c/code\u003e being used to clear logs, focusing on the parent process, user account, and affected system.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint logs for unusual or unauthorized use of command-line tools for log manipulation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-wevtutil/","summary":"Detection of wevtutil.exe being used with parameters to clear event logs, indicating potential attempts to evade detection and hinder forensic investigations by adversaries.","title":"Suspicious Wevtutil Usage for Clearing Windows Event Logs","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-wevtutil/"}],"language":"en","title":"CraftedSignal Threat Feed — Log-Manipulation","version":"https://jsonfeed.org/version/1.1"}