In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Indicator Removal on Host||Clear Windows Event Logs||Defense Evasion||Low|
Data Model References
Splunk search - Detecting log clearing with wevtutil (Splunk, Sysmon native)
This search query looks for an instance where wevtutil is invoked along with a command that may cause the system to remove Windows Event logs.
index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*)