Adversaries may be attempting to erase forensic evidence by clearing event logs using wevtutil to obscure their presence and activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential log tampering and detect advanced persistent threats that seek to evade detection.
KQL Query
// Look for use of wevtutil to clear multiple logs
DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine has "WEVTUTIL" and ProcessCommandLine has "CL"
| summarize LogClearCount = dcount(ProcessCommandLine), ClearedLogList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where LogClearCount > 10
id: 4c086156-63ea-469c-bc85-c57e2ed4ac32
name: Clearing of forensic evidence from event logs using wevtutil
description: |
This query checks for attempts to clear at least 10 log entries from event logs using wevtutil.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Ransomware
query: |
// Look for use of wevtutil to clear multiple logs
DeviceProcessEvents
| where Timestamp > ago(1d)
| where ProcessCommandLine has "WEVTUTIL" and ProcessCommandLine has "CL"
| summarize LogClearCount = dcount(ProcessCommandLine), ClearedLogList = make_set(ProcessCommandLine) by DeviceId, bin(Timestamp, 5m)
| where LogClearCount > 10
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs wevtutil to clear old event logs as part of routine system maintenance.
Filter/Exclusion: Exclude events where the source is a known maintenance task (e.g., Microsoft-Windows-TaskScheduler) or where the log cleared is a non-critical log (e.g., Application, System).
Scenario: Log Rotation via PowerShell Script
Description: An admin uses a PowerShell script to rotate and clear event logs to manage disk space.
Filter/Exclusion: Exclude events where the command is executed from a known admin script or where the log cleared is part of a log rotation policy (e.g., Application, Security logs with specific retention policies).
Scenario: User-Initiated Log Clearing for Debugging
Description: A developer or admin manually clears event logs to troubleshoot an issue or reset the log for testing.
Filter/Exclusion: Exclude events where the user is a known admin or where the log cleared is associated with a specific debugging session (e.g., EventLog tool or wevtutil used in a controlled environment).
Scenario: Automated Log Purge by Third-Party Monitoring Tool
Description: A third-party monitoring or SIEM tool uses wevtutil to periodically purge old logs to maintain performance.
Filter/Exclusion: Exclude events where the process is initiated by a known third-party tool (e.g., Splunk, Logstash, or ELK) or where the log cleared is part of a configured retention policy.
Scenario: Log Clearing During System Imaging or Backup
Description: An admin clears event logs as part of a system imaging or backup process to ensure clean logs for forensic analysis.
Filter/Exclusion: