Description: One thing adversaries will do to cover their tracks is clear the event log. The query below will monitor for execution of the wevtutil.exe, a utility that can clear the event logs on Windows.

SQL:
SELECT * FROM (
SELECT
datetime,
datetime(julianday(datetime), "localtime") AS datetime_local,
'T1070' as mitre_attck_id,
'https://attack.mitre.org/techniques/T1070/001/' as mitre_attck_url,
'apt, wevtutil, cmd' as tags,
json_extract(data,'$.EventData.SubjectUserName') as SubjectUserName,
json_extract(data,'$.EventData.SubjectDomainName') as SubjectDomainName,
json_extract(data,'$.EventData.SubjectLogonId') as SubjectLogonId,
json_extract(data,'$.EventData.NewProcessId') as NewProcessId,
json_extract(data,'$.EventData.NewProcessName') as NewProcessName,
json_extract(data,'$.EventData.TokenElevationType') as TokenElevationType,
json_extract(data,'$.EventData.ProcessId') as ProcessId,
json_extract(data,'$.EventData.CommandLine') as CommandLine,
json_extract(data,'$.EventData.TargetUserSid') as TargetUserSid,
json_extract(data,'$.EventData.TargetUserName') as TargetUserName,
json_extract(data,'$.EventData.TargetDomainName') as TargetDomainName,
json_extract(data,'$.EventData.TargetLogonId') as TargetLogonId,
json_extract(data,'$.EventData.ParentProcessName') as ParentProcessName,
json_extract(data,'$.EventData.MandatoryLabel') as MandatoryLabel,
CASE
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-0' THEN 'untrusted'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-4096' THEN 'low_integrity'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-8192' THEN 'medium_integrity'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-8448' THEN 'medium_high_integrity'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-12288' THEN 'high_integrity'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-16384' THEN 'system_integrity'
WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-20480' THEN 'protected_process'
END MandatoryLabel_Meaning
FROM (
SELECT data, datetime FROM windows_eventlog WHERE channel = "Security" AND eventid = 4688 AND datetime > DATE('now', '-1 days')
)
) WHERE NewProcessName LIKE '%wevtutil.exe';
Operating Systems: Windows Only
References:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
https://attack.mitre.org/techniques/T1070/001/
#event_log #threat_hunting #wevtutil