Is someone clearing your Windows event logs?

0

Description: One thing adversaries will do to cover their tracks is clear the event log. The query below will monitor for execution of the wevtutil.exe, a utility that can clear the event logs on Windows.

Command line arguments for clearing the event log

SQL:

SELECT * FROM (
  SELECT
  datetime,
  datetime(julianday(datetime), "localtime") AS datetime_local,
  'T1070' as mitre_attck_id,
  'https://attack.mitre.org/techniques/T1070/001/' as mitre_attck_url,
  'apt, wevtutil, cmd' as tags,
  json_extract(data,'$.EventData.SubjectUserName') as SubjectUserName,
  json_extract(data,'$.EventData.SubjectDomainName') as SubjectDomainName,
  json_extract(data,'$.EventData.SubjectLogonId') as SubjectLogonId,
  json_extract(data,'$.EventData.NewProcessId') as NewProcessId,
  json_extract(data,'$.EventData.NewProcessName') as NewProcessName,
  json_extract(data,'$.EventData.TokenElevationType') as TokenElevationType,
  json_extract(data,'$.EventData.ProcessId') as ProcessId,
  json_extract(data,'$.EventData.CommandLine') as CommandLine,
  json_extract(data,'$.EventData.TargetUserSid') as TargetUserSid,
  json_extract(data,'$.EventData.TargetUserName') as TargetUserName,
  json_extract(data,'$.EventData.TargetDomainName') as TargetDomainName,
  json_extract(data,'$.EventData.TargetLogonId') as TargetLogonId,
  json_extract(data,'$.EventData.ParentProcessName') as ParentProcessName,
  json_extract(data,'$.EventData.MandatoryLabel') as MandatoryLabel,
  CASE
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-0' THEN 'untrusted'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-4096' THEN 'low_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-8192' THEN 'medium_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-8448' THEN 'medium_high_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-12288' THEN 'high_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-16384' THEN 'system_integrity'
  WHEN json_extract(data,'$.EventData.MandatoryLabel') = 'S-1-16-20480' THEN 'protected_process'
  END MandatoryLabel_Meaning

  FROM (
    SELECT data, datetime FROM windows_eventlog WHERE channel = "Security" AND eventid = 4688 AND datetime > DATE('now', '-1 days')
  )
) WHERE NewProcessName LIKE '%wevtutil.exe';

Operating Systems: Windows Only

References:

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688

https://attack.mitre.org/techniques/T1070/001/