Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
related:
- id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
type: derived
status: test
description: |
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://www.group-ib.com/blog/apt41-world-tour-2021/
- https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
- http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today
- https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/
- https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-09-09
modified: 2025-12-02
tags:
- attack.credential-access
- attack.discovery
- attack.t1552
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_wmi:
CommandLine|contains|all:
- 'Select'
- 'Win32_NTLogEvent'
selection_wevtutil_img:
- Image|endswith: '\wevtutil.exe'
- OriginalFileName: 'wevtutil.exe'
selection_wevtutil_cli:
CommandLine|contains:
- ' qe '
- ' query-events '
selection_wmic_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains: ' ntevent'
selection_cmdlet:
CommandLine|contains:
- 'Get-WinEvent '
- 'get-eventlog '
selection_logs_name:
CommandLine|contains:
# Note: Add more event log channels that are interesting for attackers
- 'Microsoft-Windows-PowerShell'
- 'Microsoft-Windows-Security-Auditing'
- 'Microsoft-Windows-TerminalServices-LocalSessionManager'
- 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
- 'Microsoft-Windows-Windows Defender'
- 'PowerShellCore'
- 'Security'
- 'Windows PowerShell'
selection_logs_eid:
CommandLine|contains:
# Note: We use the "?" to account for both a single and a double quote
# Note: Please add additional interesting event IDs
# Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.
# This covers EID 4624 and 4628 from Security Log
- '-InstanceId 462?'
- '.eventid -eq 462?'
- '.ID -eq 462?'
- 'EventCode=?462?'
- 'EventIdentifier=?462?'
- 'System[EventID=462?]'
# This covers EID 4778 from Security Log
- '-InstanceId 4778'
- '.eventid -eq 4778'
- '.ID -eq 4778'
- 'EventCode=?4778?'
- 'EventIdentifier=?4778?'
- 'System[EventID=4778]'
# This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 25'
- '.eventid -eq 25'
- '.ID -eq 25'
- 'EventCode=?25?'
- 'EventIdentifier=?25?'
- 'System[EventID=25]'
# This covers EID 1149 from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log
- '-InstanceId 1149'
- '.eventid -eq 1149'
- '.ID -eq 1149'
- 'EventCode=?1149?'
- 'EventIdentifier=?1149?'
- 'System[EventID=1149]'
# This covers EID 21 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 21'
- '.eventid -eq 21'
- '.ID -eq 21'
- 'EventCode=?21?'
- 'EventIdentifier=?21?'
- 'System[EventID=21]'
# This covers EID 22 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 22'
- '.eventid -eq 22'
- '.ID -eq 22'
- 'EventCode=?22?'
- 'EventIdentifier=?22?'
- 'System[EventID=22]'
condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)
falsepositives:
- Legitimate usage of the utility by administrators to query the event log
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/info.yml
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml