Hi Everyone,

I work as a InfoSec analyst where I manage endpoints. I came across several detections in EDR tool for the technique "Defense evasion via modify security tools". The triggered file here is a msiexec.exe. As I understand, msiexec.exe is run during new installation, modification or un-installation of an application. The EDR agent is deployed on the client system a long time ago, hence we can rule out installation. After a thorough investigation, I found that wevtutil.exe operation is run as below during the exact detection time which probably caused the alert to trigger.

"wevtutil.exe" um "C:\program files (x86)\EDR-xx\EDR-xxService.man"

So, please clarify on the below queries.

1. What is manifest file and what does it contain?

2. Why would wevtutil uninstalls the manifest file?

3. What will cause wevtutil to invoke?

A quick assistance is appreciated.

Thank you