KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Abuse Of Wevtutilexe In LOLBAS Attacks

Query

// Detecting Abuse of Wevtutil.exe in LOLBAS Attacks

// https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/
// The article discusses how attackers exploit the Windows event log utility, wevtutil.exe, in Living Off the Land Binaries and Scripts (LOLBAS) attacks. This tool, typically used for managing event logs, can be misused to export, query, or clear logs, aiding in data exfiltration and evasion of detection. By leveraging wevtutil.exe, attackers can hide their tracks and extract sensitive information, making it a potent tool for post-exploitation activities. Enhanced monitoring and audit policies are recommended to mitigate these risks. I will be sharing a KQL to detect this type of abuse.

DeviceProcessEvents 
| where TimeGenerated > ago(1h)
| where FileName == "wevtutil.exe"
| where ProcessTokenElevation == "TokenElevationTypeFull" or 
InitiatingProcessCommandLine in ("cl", "qe")

// MITRE ATT&CK

Explanation

This KQL (Kusto Query Language) query is designed to detect potential misuse of the Windows event log utility, wevtutil.exe, which can be exploited in Living Off the Land Binaries and Scripts (LOLBAS) attacks. Here's a simplified breakdown of what the query does:

  1. Data Source: It looks at DeviceProcessEvents, which contains information about processes running on devices.

  2. Time Frame: The query focuses on events generated in the last hour (TimeGenerated > ago(1h)).

  3. Target Process: It specifically filters for events where the process name is wevtutil.exe, a tool used for managing Windows event logs.

  4. Elevation Check: It checks if the process has full administrative privileges (ProcessTokenElevation == "TokenElevationTypeFull").

  5. Command Line Indicators: It also looks for specific command line arguments (cl for clear logs and qe for query events) that might indicate suspicious activity.

The query aims to identify instances where wevtutil.exe is being used in ways that could suggest an attempt to manipulate or clear event logs, which is a common tactic in post-exploitation activities to cover tracks or extract sensitive information.

Details

Steven Lim profile picture

Steven Lim

Released: December 3, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimeGeneratedFileNameProcessTokenElevationInitiatingProcessCommandLine

Operators

ago>==orin

Actions