Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND (COMMANDLINE contains "Microsoft-Windows-PowerShell,Microsoft-Windows-Security-Auditing,Microsoft-Windows-TerminalServices-LocalSessionManager,Microsoft-Windows-TerminalServices-RemoteConnectionManager,Microsoft-Windows-Windows Defender,PowerShellCore,Security,Windows PowerShell" OR COMMANDLINE contains "-InstanceId 462?,.eventid -eq 462?,EventCode=?462?,EventIdentifier=?462?,System[EventID=462?],-InstanceId 4778,.eventid -eq 4778,System[EventID=4778],EventCode=?4778?,EventIdentifier=?4778?,-InstanceId 25,.eventid -eq 25,System[EventID=25],EventCode=?25?,EventIdentifier=?25?") AND ((COMMANDLINE contains "Select" AND COMMANDLINE contains "Win32_NTLogEvent") OR ((PROCESSNAME endswith "\wevtutil.exe" OR ORIGINALFILENAME = "wevtutil.exe") AND COMMANDLINE contains " qe , query-events ") OR ((PROCESSNAME endswith "\wmic.exe" OR ORIGINALFILENAME = "wmic.exe") AND COMMANDLINE contains " ntevent") OR COMMANDLINE contains "Get-WinEvent ,get-eventlog ") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
