Wevtutil.exe abuse
Wevtutil.exe an administrator command line utility used primarily to register your event provider on the computer. It provides metadata information about the provider, its events, and the channels to which it logs events, and to query events from a channel or log file. This search looks for wevtutil.exe with parameters for clearing the application, security, setup, or system event logs, which can be used by ransomware authors in preparation for or during an attack.
Data required
Procedure
- Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation. To run this search, your deployment needs to be ingesting data that records process activity from your hosts, and populating the Endpoint Process data model node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats allow_old_summaries=true values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=wevtutil.exe "Processes.process"="*cl*" ("Processes.process"="*System*" OR "Processes.process"="*Security*" OR "Processes.process"="*Setup*" OR "Processes.process"="*Application*")) BY "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"
| rename "Processes.*" AS "*"
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
| tstats allow_old_summaries=true values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=wevtutil.exe "Processes.process"="*cl*" ("Processes.process"="*System*" OR "Processes.process"="*Security*" OR "Processes.process"="*Setup*" OR "Processes.process"="*Application*")) BY "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user" | Query the Endpoint.Processes data model object to search for wevtutil.exe running with parameters to clear the application, or parameters relating to security, setup, system event logs, or application logs. Then, sort by process name, parent process name, destination, and user. |
| rename "Processes.*" AS "*" | Rename data model fields for better readability. |
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) |
Convert these times into readable strings. |
Next steps
False positives from this search may occur because the wevtutil.exe application is a legitimate Windows event log utility. Administrators may use it to manage Windows event logs.
If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.
Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.