In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Indicator Removal on Host Clear Windows Event Logs Defense Evasion Low

Data Model References

Object Action Field
process create command_line

Implementations

Splunk search - Detecting log clearing with wevtutil (Splunk, Sysmon native)

This search query looks for an instance where wevtutil is invoked along with a command that may cause the system to remove Windows Event logs.

index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*)