Techniques
Sample rules
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
- source: sigma
- technicques:
- t1552
Description
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
Detection logic
condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_*
or all of selection_wmic_* or selection_cmdlet)
selection_cmdlet:
CommandLine|contains:
- 'Get-WinEvent '
- 'get-eventlog '
selection_logs_eid:
CommandLine|contains:
- -InstanceId 462?
- .eventid -eq 462?
- EventCode=?462?
- EventIdentifier=?462?
- System[EventID=462?]
- -InstanceId 4778
- .eventid -eq 4778
- System[EventID=4778]
- EventCode=?4778?
- EventIdentifier=?4778?
- -InstanceId 25
- .eventid -eq 25
- System[EventID=25]
- EventCode=?25?
- EventIdentifier=?25?
selection_logs_name:
CommandLine|contains:
- Microsoft-Windows-PowerShell
- Microsoft-Windows-Security-Auditing
- Microsoft-Windows-TerminalServices-LocalSessionManager
- Microsoft-Windows-TerminalServices-RemoteConnectionManager
- Microsoft-Windows-Windows Defender
- PowerShellCore
- Security
- Windows PowerShell
selection_wevtutil_cli:
CommandLine|contains:
- ' qe '
- ' query-events '
selection_wevtutil_img:
- Image|endswith: \wevtutil.exe
- OriginalFileName: wevtutil.exe
selection_wmi:
CommandLine|contains|all:
- Select
- Win32_NTLogEvent
selection_wmic_cli:
CommandLine|contains: ' ntevent'
selection_wmic_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe