{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wevtutil/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","ransomware","windows","wevtutil"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the detection of adversaries disabling Windows event logs using the \u003ccode\u003ewevtutil.exe\u003c/code\u003e utility. Disabling or clearing event logs is a common defense evasion technique employed by ransomware actors and other malicious actors to remove evidence of their activities and impede incident response. The detection logic centers around identifying specific command-line parameters used with \u003ccode\u003ewevtutil.exe\u003c/code\u003e that indicate an attempt to disable or clear logs. This activity, if successful, allows attackers to operate with reduced visibility, complicating investigations and potentially extending the duration of the compromise. The activity is detected via process monitoring data from EDR solutions and Windows Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the target system through various means, such as phishing, exploitation of a vulnerability, or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain necessary permissions to disable event logs, typically requiring local administrator rights.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker executes \u003ccode\u003ewevtutil.exe\u003c/code\u003e with specific command-line arguments to disable or clear event logs, such as \u003ccode\u003ewevtutil.exe sl \u0026lt;logname\u0026gt; /e:false\u003c/code\u003e or \u003ccode\u003ewevtutil.exe set-log \u0026lt;logname\u0026gt; /enabled:false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eLog Manipulation: The attacker targets specific event logs, such as the Security, Application, or System logs, to remove traces of their activity.\u003c/li\u003e\n\u003cli\u003ePersistence: In some cases, the attacker might establish persistence through scheduled tasks or registry modifications to ensure continued access even after system reboots.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker might use the compromised system as a pivot point to move laterally to other systems on the network, repeating the log disabling process to cover their tracks.\u003c/li\u003e\n\u003cli\u003eData Encryption/Exfiltration: After disabling logs and moving laterally, the attacker deploys ransomware to encrypt data, or exfiltrates sensitive information from the compromised environment.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their final objective, whether it\u0026rsquo;s data encryption for ransom or exfiltration of sensitive information, with reduced chances of detection and successful investigation due to disabled logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling or clearing event logs allows attackers to operate undetected for extended periods, increasing the dwell time and potential for damage. This activity can lead to significant data loss, financial losses due to ransomware demands, reputational damage, and increased costs associated with incident response and recovery. In cases like the Ransom X ransomware attack (referenced in the original source), disabling logs was a key step in hiding malicious activity. The lack of log data makes incident response significantly more difficult and time-consuming.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM or EDR solution to detect instances of \u003ccode\u003ewevtutil.exe\u003c/code\u003e being used to disable event logs.\u003c/li\u003e\n\u003cli\u003eEnable and monitor process creation logs (Sysmon Event ID 1 or Windows Event Log Security 4688) with command-line arguments to capture the execution of \u003ccode\u003ewevtutil.exe\u003c/code\u003e with potentially malicious parameters.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by these rules promptly to determine if the activity is legitimate or indicative of malicious behavior.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and principle of least privilege to limit the number of users who can execute \u003ccode\u003ewevtutil.exe\u003c/code\u003e or modify event log settings.\u003c/li\u003e\n\u003cli\u003eReview and harden your endpoint detection and response (EDR) configurations to ensure comprehensive process monitoring and event logging capabilities.\u003c/li\u003e\n\u003cli\u003eConsider using an immutable logging solution to prevent attackers from tampering with log data, ensuring that audit trails remain intact.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-disable-logs-wevtutil/","summary":"Detection of the 'wevtutil.exe' command-line utility being used to disable event logs, a common tactic employed by ransomware actors to evade detection and hinder forensic analysis on compromised Windows systems.","title":"Detection of Event Log Disabling via WevtUtil","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-logs-wevtutil/"}],"language":"en","title":"CraftedSignal Threat Feed — Wevtutil","version":"https://jsonfeed.org/version/1.1"}