Wevtutil.exe, a Windows event log utility, can be used maliciously in Living Off the Land (LOLBAS) to export logs for exfiltration, query specific event data, or clear logs.
Attackers increasingly use Living Off the Land Binaries and Scripts (LOLBAS) tactics.
These techniques rely on trustworthy, pre-installed Windows tools to perform malicious actions, frequently evading security measures without detection.
“Wevtutil.exe can be exploited in a LOLBAS context to clear, query, or export event logs, helping attackers evade detection and exfiltrate data”, reads the Denwp Research blog.
It is an efficient and stealthy tool for post-exploitation activities due to its built-in existence on Windows platforms.
Attackers Exploiting The Windows Event Log Utility
Wevtutil.exe is frequently used by system administrators to collect and organize logs for auditing or troubleshooting. Regardless of its intended purpose, wevtutil.exe’s capability can be used for harmful purposes.
Best practices for API vulnerability & Penetration Testing -> Free Webinar
Key features of wevtutil.exe include:
- Exporting event logs to XML format.
- Clearing specific or all event logs.
- Querying event logs based on defined criteria.
Wevtutil.exe is a double-edged sword because of these features; although it is very useful for legal activities, it may also help attackers hide their tracks or steal data.
Wevtutil cl gives attackers the ability to either selectively or completely delete individual logs.
Although log clearing is not a novel strategy, employing uncommon tools may help avoid detection systems that mostly target popular programs like PowerShell.
Additionally, the application logs are effectively cleared by using an elevated command prompt, researchers said.
In the Windows Event Viewer, Event ID 1102 is created when the Security log is cleared. This event indicates that the audit logs have been cleared, which is a crucial security indicator.
For defenders and security monitoring software, Event ID 1102 is very noticeable as it includes information like the login and process that carried out the log-clearing activity.
By default, Windows does not record events that indicate the deletion of non-security logs, such as Application or System. Administrators can mitigate this by enabling Audit Policies to monitor log removal operations.
Further, wevtutil qe command allows Wevtutil.exe to export event logs in XML format. Logs may contain sensitive information that an attacker could extract and exfiltrate, such as credentials or signs of internal activity.
Wevtutil.exe makes it possible to query logs precisely, giving attackers information about user or system activity.
Adversaries can learn about privileged operations, system faults, or authentication attempts by using customized queries.
Using wevtutil.exe as part of a chain of LOLBAS tools can make activities even more difficult to understand. For example, an attacker could:
- Export logs using wevtutil.exe.
- Compress the exported file with makecab.exe.
- Use certutil.exe to upload the file to a remote location.
Organizations ought to consider enhanced monitoring, event log integrity, and behavioral analytics to combat these new wevtutil.exe abuse.
Enabling advanced audit policies can enhance detection capabilities and log events even for non-Security logs.
Additionally, understanding these behaviours is critical for both red teams who utilize this utility and defenders who want to detect and minimize its abuse.
Analyse Advanced Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.
The post Hackers Exploited Windows Event Logging Tool To Steal Data Secretly appeared first on Cyber Security News.
