Skip to content

Clearing Event Log with wevtapi functions #1006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Feb 22, 2025
Merged

Clearing Event Log with wevtapi functions #1006

merged 10 commits into from
Feb 22, 2025

Conversation

JakePeralta7
Copy link
Contributor

Added detection of clearing event logs with functions from wevtapi.dll, these functions can also be used remotely after a session is established with RPC using the EvtOpenSession function.

Reference Code:
getel-arch/ClearLogsRemotely

@JakePeralta7 JakePeralta7 mentioned this pull request Feb 22, 2025
Merged
williballenthin
williballenthin approved these changes Feb 22, 2025
View reviewed changes
Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

Initially I was unsure if the name "... remotely" was appropriate, but as I look at some examples and the API documentation, I see that NULL would be provided instead of the session, so requiring EvtOpenSession is great here.

@williballenthin
Copy link
Collaborator

williballenthin commented Feb 22, 2025
edited
Loading

for example here is WSReset.exe, which clears a local log:
image

it imports only EvtClearLog, not any of the other routines.

so here's a VT search for local clearing: https://www.virustotal.com/gui/search/imports%253AEvtClearLog%2520and%2520not%2520imports%253AEvtOpenSession?type=files

and likely remote clearing: https://www.virustotal.com/gui/search/imports%253AEvtClearLog%2520and%2520imports%253AEvtOpenSession?type=files (very few hits aside from wevtutil)

@JakePeralta7
Copy link
Contributor Author

JakePeralta7 commented Feb 22, 2025
edited
Loading

Sorry about all of the mess in the commits, it's my first time writing a CAPA rule and I'm not used to your workflows

@williballenthin
Copy link
Collaborator

no worries! I appreciate the patience. and I'll squash merge so the history ends up clean.

really neat that you took the time to submit a rule after developing the POC. i hope we can continue to work together :-)

@williballenthin williballenthin merged commit 9c86fbe into mandiant:master Feb 22, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@williballenthin williballenthin williballenthin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JakePeralta7 @williballenthin @getel-arch