legitimate usage of the utility by administrators to query the event log

Techniques

t1552

Sample rules

Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

source: sigma
technicques:
- t1552

Description

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

Detection logic

condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_*
  or all of selection_wmic_* or selection_cmdlet)
selection_cmdlet:
  CommandLine|contains:
  - 'Get-WinEvent '
  - 'get-eventlog '
selection_logs_eid:
  CommandLine|contains:
  - -InstanceId 4624
  - System[EventID=4624]
  - EventCode=?4624?
  - EventIdentifier=?4624?
  - -InstanceId 4778
  - System[EventID=4778]
  - EventCode=?4778?
  - EventIdentifier=?4778?
  - -InstanceId 25
  - System[EventID=25]
  - EventCode=?25?
  - EventIdentifier=?25?
selection_logs_name:
  CommandLine|contains:
  - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  - Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational
  - Security
selection_wevtutil_cli:
  CommandLine|contains:
  - ' qe '
  - ' query-events '
selection_wevtutil_img:
- Image|endswith: \wevtutil.exe
- OriginalFileName: wevtutil.exe
selection_wmi:
  CommandLine|contains|all:
  - Select
  - Win32_NTLogEvent
selection_wmic_cli:
  CommandLine|contains: ' ntevent'
selection_wmic_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe