Unexplored LOLBAS Technique: Wevtutil.exe

Wevtutil.exe manages Windows event logs, aiding system admins but exploitable by attackers for log manipulation, evasion, and data exfiltration.

Unexplored LOLBAS Technique: Wevtutil.exe

Living Off the Land Binaries and Scripts (LOLBAS) techniques have become a go-to strategy for attackers. These methods rely on legitimate, pre-installed Windows tools to carry out malicious activities, often slipping past security controls unnoticed. In this post, we’re taking a closer look at a lesser-known use of wevtutil.exe, a utility built for managing Windows Event Logs, and how it can be leveraged as a powerful LOLBAS tool.

What is Wevtutil.exe?

Wevtutil.exe is a command-line tool provided by Windows for querying, exporting, and managing event logs. System administrators commonly use it to collect and manage logs for troubleshooting or auditing. Despite its intended purpose, the functionality of wevtutil.exe can be manipulated for unintended use in a malicious context.

Key features of wevtutil.exe include:

  • Exporting event logs to XML format.
  • Clearing specific or all event logs.
  • Querying event logs based on defined criteria.

These capabilities make wevtutil.exe a double-edged sword: while invaluable for legitimate operations, they can also aid attackers in covering tracks or exfiltrating information.


Uses of Wevtutil.exe in LOLBAS Context

Wevtutil.exe can be exploited in a LOLBAS context to clear, query, or export event logs, helping attackers evade detection and exfiltrate data. Its native presence on Windows systems makes it a stealthy and effective tool for post-exploitation activities.

Selective Log Clearing for Evasion

Attackers can use wevtutil cl to clear all logs or selectively clear specific logs. While log clearing is not a new tactic, using less common utilities could evade traditional detection mechanisms that primarily focus on widely used tools such as PowerShell.

wevtutil cl Application

Below is a view of the Application event logs in the Event Viewer.

As a standard user, attempting to run the command results in an 'Access Denied' error.

Using an elevated command prompt, running the command successfully clears the Application logs.

Limitation:

The wevtutil command cannot clear specific events within an event log. It operates on an entire log file and does not support selective deletion of individual events.

While wevtutil.exe can also be used to clear the Security event log, doing so is not as stealthy as clearing other logs. Clearing the Security log generates Event ID 1102 in the Windows Event Viewer. This event serves as a critical security signal, indicating that the audit logs have been cleared.

Event ID 1102 contains details such as the username and process responsible for the log-clearing action, making it highly noticeable to defenders and security monitoring tools. This inherent traceability makes it less appealing for attackers focused on evasion.

Windows generates specific events when certain logs are cleared, but this behavior varies based on the type of log. For instance, clearing the Security log always generates a System Log Event ID 1102, as it is treated as a critical component of system auditing and forensic investigations. However, clearing non-Security logs, such as the Application or System logs, typically results in a System Log Event ID 104.

This distinction arises because the Security log is specifically designed to support stringent auditing and compliance requirements, whereas other logs are not subject to the same level of scrutiny by default. To enhance visibility into log-clearing activities for all log types, administrators can configure audit policies. This involves enabling the following settings via Group Policy:

To mitigate this, administrators can enable Audit Policies to track log clearing activities. The relevant setting is:

Enable Audit Policies:
Audit log management actions using the following Group Policy setting:
Audit Policy Change (for Advanced Audit Policies)
Path: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit Other Object Access Events

Privilege and Detection Considerations:

  • Privilege Required: Administrator or equivalent privileges.
  • Reason: Clearing event logs impacts system auditing and is restricted to prevent tampering or destruction of forensic evidence. Only users in the Administrators group or accounts with elevated privileges can clear logs.
  • Detection Tip: Clearing logs often generates an event (e.g., Event ID 1102 in the Security log and Event ID 104 in System log), which can alert defenders if centralized logging is in place.

Exfiltration of Event Logs

Wevtutil.exe can export event logs in XML format using the wevtutil qe command. An attacker could extract sensitive information embedded in logs (e.g., credentials or indicators of internal activity) and exfiltrate it.

wevtutil qe Security /f:xml > exported_logs.xml

As a standard user, attempting to run the command results in an 'Access Denied' error.

Using an elevated command prompt, running the command successfully exports the logs to our desktop.

Here are some alternative commands for exporting logs:

wevtutil epl Security exported.evtx
wevtutil epl Application exported.evtx

Privilege and Detection Considerations:

  • Privilege Required: Administrator or User with Read Access to the specific logs being exported.
  • Reason: Reading and exporting logs generally requires access permission to the log files in question. While administrators typically have access to all logs, non-administrator users may only access logs where permissions are explicitly granted (e.g., Application logs).
  • Example:
    • Security logs: Usually restricted to Administrators and Event Log Readers.
    • Application/System logs: May be accessible by standard users in some configurations.

Log Queries for Reconnaissance

Wevtutil.exe allows precise querying of logs, enabling attackers to gather intelligence on system activities or user behaviors. By leveraging customized queries, adversaries can gain insights into authentication attempts, system errors, or privileged operations.

wevtutil qe Security /q:"*[System[EventID=4624]]"

As a standard user, attempting to run the command results in an 'Access Denied' error.

Using an elevated command prompt, running the command successfully displays all logs related to Event ID 4624. This retrieves entries for successful logon events, allowing attackers to analyze user activity patterns.

Privilege and Detection Considerations:

  • Privilege Required:
    • Administrator or Event Log Reader role for sensitive logs (e.g., Security).
    • Standard User for logs like Application or Setup, depending on permissions.
  • Reason: Querying logs is less intrusive than clearing them, so access is often more permissive. However, critical logs (like Security) remain restricted to privileged users.

Bypassing Detection via LOLBAS Utility Chain

Using wevtutil.exe as part of a chain of LOLBAS utilities can further obfuscate actions. For instance, an attacker could:

  • Export logs using wevtutil.exe.
  • Compress the exported file with makecab.exe.
  • Use certutil.exe to upload the file to a remote location.

To counter these novel abuses of wevtutil.exe, organizations should consider the following strategies

  • Enhanced Monitoring
    • Monitor the use of wevtutil.exe, especially for unusual commands such as cl (clear logs) or qe (query/export logs).
    • Establish baselines for legitimate use of wevtutil.exe to detect anomalies.
  • Event Log Integrity
    • Enforce strict access controls to prevent unauthorized users from clearing or exporting event logs.
    • Utilize centralized log aggregation to ensure redundancy and detect discrepancies.
  • Behavioral Analytics
    • Combine behavioral analytics with rule-based monitoring to identify patterns consistent with LOLBAS techniques.
    • Flag combinations of tools commonly used in LOLBAS utility chains (e.g., wevtutil.exe followed by makecab.exe and certutil.exe).

Conclusion

Wevtutil.exe, a built-in Windows utility, is a powerful tool for managing event logs. While invaluable for legitimate administrative tasks, it can also be exploited in a Living Off the Land (LOLBAS) context for malicious purposes. Attackers can use it to clear logs, query specific event data, or export logs for exfiltration. Clearing Security logs generates Event ID 1102, making such actions detectable, but other logs like Application and System can be cleared without leaving traces by default.

Privilege requirements restrict log clearing to users with administrative rights, ensuring some level of protection. However, enabling advanced audit policies can improve detection capabilities, logging events even for non-Security logs. Understanding these behaviors is crucial for both red teams leveraging this utility and defenders aiming to detect and mitigate its abuse.

Reference:

wevtutil
Reference article for wevtutil, which lets you retrieve information about event logs and publishers.
Wevtutil, Software S0645 | MITRE ATT&CK®