wevtutil.exe, a Home windows Occasion Log administration instrument, might be abused for LOLBAS assaults. By manipulating its capabilities, attackers can execute arbitrary instructions, obtain malicious payloads, and set up persistence, all whereas evading conventional safety measures.
It’s a Home windows instrument for occasion log administration that may be exploited by attackers to control system logs, doubtlessly concealing malicious exercise or compromising system integrity.
By enabling exporting occasion logs as XML, it clears logs selectively or fully and queries logs utilizing particular standards. Whereas important for system directors, this instrument might be misused by attackers to hide malicious exercise or steal delicate knowledge.
Free Webinar on Greatest Practices for API vulnerability & Penetration Testing: Free Registration
The instrument might be abused in post-exploitation eventualities to control occasion logs, the place attackers can leverage this instrument to clear, question, or export delicate log knowledge, hindering incident response efforts and facilitating knowledge exfiltration.
Attackers are exploiting the `wevtutil cl` command to selectively clear particular occasion logs, equivalent to Software logs, to evade detection and hinder incident response efforts by leveraging a much less frequent utility to bypass conventional safety measures centered on extra generally used instruments like PowerShell.
As a way to resolve the ‘Entry Denied’ error and allow the profitable clearing of Software logs, it’s essential to elevate person privileges to an administrative stage by the command immediate.
wevtutil can’t selectively clear particular occasions from an occasion log, solely whole logs, the place clearing the safety log is much less stealthy because it generates Occasion ID 1102, a safety indicator.
Occasion ID 1102 gives detailed details about log clearing actions, together with the person and course of concerned, making it simply detectable by safety instruments, decreasing its attractiveness to stealthy attackers.
Home windows doesn’t natively log occasions for non-Safety log clearing as a result of decrease precedence assigned to those logs in comparison with the important Safety log, important for auditing and forensics.
Directors can implement Audit Insurance policies to observe log clearing actions by enabling the “Audit Different Object Entry Occasions” coverage underneath “Superior Audit Coverage Configuration” to trace adjustments made to log administration settings.
An attacker can use the `wevtutil qe` command to export delicate occasion logs in XML format, doubtlessly exfiltrating credentials or inner exercise indicators. Whereas requiring elevated privileges, profitable execution can compromise delicate info.
In line with Denwp, directors and customers with learn entry can export logs by accessing particular logs relying on person permissions, with directors having broader entry and customary customers usually restricted to utility/system logs.
To mitigate LOLBAS assaults involving wevtutil.exe, organizations ought to improve monitoring, implement strict entry controls on occasion logs, and make the most of behavioral analytics to detect anomalous utilization patterns and flag suspicious instrument combos like wevtutil.exe, makecab.exe, and certutil.exe.
Leveraging 2024 MITRE ATT&CK Outcomes for SME & MSP Cybersecurity Leaders – Attend Free Webinar