-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2021-01-003.yaml
35 lines (35 loc) · 1.38 KB
/
CAR-2021-01-003.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
---
title: Clearing Windows Logs with Wevtutil
submission_date: 2020/12/02
information_domain: 'Host'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Cyware Labs
id: CAR-2021-01-003
description: |
In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
coverage:
- technique: T1070
coverage: Low
subtechniques:
- T1070.001
tactics:
- TA0005
implementations:
- name: Splunk search - Detecting log clearing with wevtutil
description: This search query looks for an instance where wevtutil is invoked along with a command that may cause the system to remove Windows Event logs.
code: |
index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*)
data_model: Sysmon native
type: Splunk
data_model_references:
- process/create/command_line
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis