Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

EventLog Query Requests By Builtin Utilities

Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ali Alwashali, Nasreddine Bencherchali (Nextron Systems)Created Mon Nov 20Updated Wed Jan 249cd55b6c-430a-4fa9-96f4-7cadf5229e9fwindows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic6 selectors
detection:
    selection_wmi:
        CommandLine|contains|all:
            - 'Select'
            - 'Win32_NTLogEvent'
    selection_wevtutil_img:
        - Image|endswith: '\wevtutil.exe'
        - OriginalFileName: 'wevtutil.exe'
    selection_wevtutil_cli:
        CommandLine|contains:
            - ' qe '
            - ' query-events '
    selection_wmic_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_wmic_cli:
        CommandLine|contains: ' ntevent'
    selection_cmdlet:
        CommandLine|contains:
            - 'Get-WinEvent '
            - 'get-eventlog '
    condition: selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet
False Positives

Legitimate log access by administrators or troubleshooting tools

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
solomonson.com
4
Resolving title…
learn.microsoft.com
MITRE ATT&CK

Other

detection.threat-hunting
Related Rules
DerivedDetectionmedium

Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
Status
test
Level
medium
Type
Threat Hunt
Created
Mon Nov 20
Modified
Wed Jan 24
Author
Ali Alwashali, Nasreddine Bencherchali (Nextron Systems)
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml
Raw Tags
attack.t1552attack.credential-accessdetection.threat-hunting
View on GitHub