legitimate applications writing events via this cmdlet. investigate alerts to determine if the action is benign

windows
sigma

Techniques

Sample rules

PowerShell Write-EventLog Usage

source: sigma
technicques:

Description

Detects usage of the “Write-EventLog” cmdlet with ‘RawData’ flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - Write-EventLog
  - '-RawData '