Sigma rules for Wevtutil
5 rules · scoped to tool · back to Wevtutil
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Eventlog Clearing or Configuration Change Activity
id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
status: stable
description: |
Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
This technique were seen used by threat actors and ransomware strains in order to evade defenses.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee
- https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
- https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc
- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-09-26
modified: 2025-03-12
tags:
- attack.defense-impairment
- attack.t1685.005
- attack.t1685.001
- car.2016-04-002
logsource:
category: process_creation
product: windows
detection:
selection_wevtutil_img:
- Image|endswith: '\wevtutil.exe'
- OriginalFileName: 'wevtutil.exe'
selection_wevtutil_cmd:
CommandLine|contains:
- 'clear-log ' # clears specified log
- ' cl ' # short version of 'clear-log'
- 'set-log ' # modifies config of specified log. could be uset to set it to a tiny size
- ' sl ' # short version of 'set-log'
- 'lfn:' # change log file location and name
selection_other_ps_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
selection_other_ps_cmd:
- CommandLine|contains:
- 'Clear-EventLog '
- 'Remove-EventLog '
- 'Limit-EventLog '
- 'Clear-WinEvent '
- CommandLine|contains|all:
- 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
- 'ClearLog'
- CommandLine|contains|all:
- 'Diagnostics.EventLog'
- 'Clear'
selection_other_wmi:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\wmic.exe'
CommandLine|contains: 'ClearEventLog'
filter_main_msiexec:
# Example seen during office update/installation:
# ParentImage: C:\Windows\SysWOW64\msiexec.exe
# CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
ParentImage:
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\msiexec.exe'
CommandLine|contains: ' sl '
condition: (all of selection_wevtutil_*) or (all of selection_other_ps_*) or (selection_other_wmi) and not 1 of filter_main_*
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
- Maintenance activity
level: high
title: Security Eventlog Cleared
id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
related:
- id: f2f01843-e7b8-4f95-a35a-d23584476423
type: obsolete
- id: a122ac13-daf8-4175-83a2-72c387be339d
type: obsolete
status: test
description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
author: Florian Roth (Nextron Systems)
date: 2017-01-10
modified: 2022-02-24
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: security
detection:
selection_517:
EventID: 517
Provider_Name: Security
selection_1102:
EventID: 1102
Provider_Name: Microsoft-Windows-Eventlog
condition: 1 of selection_*
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: high
title: Important Windows Eventlog Cleared
id: 100ef69e-3327-481c-8e5c-6d80d9507556
related:
- id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
type: derived
status: test
description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-17
modified: 2023-11-15
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: system
detection:
selection:
EventID: 104
Provider_Name: 'Microsoft-Windows-Eventlog'
Channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'Microsoft-Windows-Sysmon/Operational'
- 'PowerShellCore/Operational'
- 'Security'
- 'System'
- 'Windows PowerShell'
condition: selection
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: high
title: Windows Event Log Access Tampering Via Registry
id: ba226dcf-d390-4642-b9af-b534872f1156
status: experimental
description: |
Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell
- https://www.youtube.com/watch?v=uSYvHUVU8xY
- https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
author: X__Junior
date: 2025-01-16
modified: 2025-08-16
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-impairment
- attack.t1547.001
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
# O:SYG:SYD:(D;;0x1;;;WD)
# O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(D;;0x1;;;WD)
selection_key_1:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
TargetObject|endswith: '\CustomSD'
selection_key_2:
TargetObject|contains:
- '\Policies\Microsoft\Windows\EventLog\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels'
TargetObject|endswith: '\ChannelAccess'
selection_details:
- Details|contains: 'D:(D;'
- Details|contains|all:
- 'D:('
- ')(D;'
filter_main_trustedinstaller:
Image: 'C:\Windows\servicing\TrustedInstaller.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
filter_optional_empty:
Image: ''
filter_optional_null:
Image: null
condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative activity, still unlikely
level: high
title: Eventlog Cleared
id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
related:
- id: f2f01843-e7b8-4f95-a35a-d23584476423
type: obsolete
- id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
type: derived
- id: 100ef69e-3327-481c-8e5c-6d80d9507556
type: derived
status: test
description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-01-10
modified: 2023-11-15
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: system
detection:
selection:
EventID: 104
Provider_Name: 'Microsoft-Windows-Eventlog'
filter_main_covered:
# The channels below are already covered by the rule 100ef69e-3327-481c-8e5c-6d80d9507556
Channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'Microsoft-Windows-Sysmon/Operational'
- 'PowerShellCore/Operational'
- 'Security'
- 'System'
- 'Windows PowerShell'
condition: selection and not 1 of filter_main_*
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: medium