Techniques
Sample rules
Suspicious Use of PsLogList
- source: sigma
- technicques:
- t1087
- t1087.001
- t1087.002
Description
Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
Detection logic
condition: all of selection_*
selection_cli_eventlog:
CommandLine|contains:
- ' security'
- ' application'
- ' system'
selection_cli_flags:
CommandLine|contains|windash:
- ' -d'
- ' -x'
- ' -s'
- ' -c'
- ' -g'
selection_img:
- OriginalFileName: psloglist.exe
- Image|endswith:
- \psloglist.exe
- \psloglist64.exe