Attack Chain

1. Initial Access: An attacker gains initial access to a system through various means (e.g., phishing, exploiting vulnerabilities).
2. Privilege Escalation: The attacker elevates privileges to gain the necessary permissions to manipulate event logs.
3. Credential Access: The attacker attempts to obtain valid credentials.
4. Defense Evasion: The attacker uses wevtutil.exe with specific parameters to clear security, application, system, or other event logs. The command line includes arguments such as “cl” or “clear-log” followed by the name of the log to clear (e.g., wevtutil cl Security).
5. Persistence: The attacker may establish persistence mechanisms to maintain access to the compromised system.
6. Lateral Movement: The attacker moves laterally to other systems within the network, repeating the steps of privilege escalation and log clearing.
7. Exfiltration/Impact: Depending on the attacker’s objectives, they may exfiltrate sensitive data or cause damage to the system or network.

Impact

Successful clearing of event logs can severely impair an organization’s ability to detect and respond to security incidents. This can lead to delayed detection of breaches, increased dwell time for attackers, and difficulty in understanding the full extent of a compromise. The loss of log data can also hinder compliance efforts and legal investigations.

Recommendation

• Deploy the Sigma rule Suspicious Wevtutil Usage to your SIEM and tune for your environment to detect the clearing of event logs using wevtutil.exe.
• Enable Sysmon process-creation logging (Event ID 1) and Windows Event Log Security logging (Event ID 4688) to ensure the necessary data is available for the detection rule.
• Investigate any detected instances of wevtutil.exe being used to clear logs, focusing on the parent process, user account, and affected system.
• Monitor endpoint logs for unusual or unauthorized use of command-line tools for log manipulation.