Detectionmediumtest

PowerShell Write-EventLog Usage

Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Aug 1635f41cd7-c98e-469f-8a02-ec4ba0cc7a7ewindows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Write-EventLog'
            - '-RawData '
    condition: selection

False Positives

Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign

References

Resolving title…

blackhillsinfosec.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Rule Metadata

Rule ID

35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e

Status

test

Level

medium

Type

Detection

Created

Tue Aug 16

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml

Raw Tags

attack.defense-evasion

View on GitHub