the wevtutil.exe application is a legitimate windows event log utility. administrators may use it to manage windows event logs.

t1070
t1070.001
endpoint
splunk

Techniques

T1070
T1070.001

Sample rules

Suspicious wevtutil Usage

source: splunk
technicques:
- T1070.001
- T1070

Description

The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, trace or system event logs.

Detection logic


| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wevtutil.exe Processes.process IN ("* cl *", "*clear-log*") (Processes.process="*System*" OR Processes.process="*Security*" OR Processes.process="*Setup*" OR Processes.process="*Application*" OR Processes.process="*trace*") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
|`security_content_ctime(lastTime)` 
| `suspicious_wevtutil_usage_filter`