Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)Created Fri Sep 09Updated Tue Dec 02beaa66d6-aa1b-4e3c-80f5-e0145369bfafwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic8 selectors
detection:
    selection_wmi:
        CommandLine|contains|all:
            - 'Select'
            - 'Win32_NTLogEvent'
    selection_wevtutil_img:
        - Image|endswith: '\wevtutil.exe'
        - OriginalFileName: 'wevtutil.exe'
    selection_wevtutil_cli:
        CommandLine|contains:
            - ' qe '
            - ' query-events '
    selection_wmic_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_wmic_cli:
        CommandLine|contains: ' ntevent'
    selection_cmdlet:
        CommandLine|contains:
            - 'Get-WinEvent '
            - 'get-eventlog '
    selection_logs_name:
        CommandLine|contains:
            # Note: Add more event log channels that are interesting for attackers
            - 'Microsoft-Windows-PowerShell'
            - 'Microsoft-Windows-Security-Auditing'
            - 'Microsoft-Windows-TerminalServices-LocalSessionManager'
            - 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
            - 'Microsoft-Windows-Windows Defender'
            - 'PowerShellCore'
            - 'Security'
            - 'Windows PowerShell'
    selection_logs_eid:
        CommandLine|contains:
            # Note: We use the "?" to account for both a single and a double quote
            # Note: Please add additional interesting event IDs
            # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.
            # This covers EID 4624 and 4628 from Security Log
            - '-InstanceId 462?'
            - '.eventid -eq 462?'
            - '.ID -eq 462?'
            - 'EventCode=?462?'
            - 'EventIdentifier=?462?'
            - 'System[EventID=462?]'
            # This covers EID 4778 from Security Log
            - '-InstanceId 4778'
            - '.eventid -eq 4778'
            - '.ID -eq 4778'
            - 'EventCode=?4778?'
            - 'EventIdentifier=?4778?'
            - 'System[EventID=4778]'
            # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
            - '-InstanceId 25'
            - '.eventid -eq 25'
            - '.ID -eq 25'
            - 'EventCode=?25?'
            - 'EventIdentifier=?25?'
            - 'System[EventID=25]'
            # This covers EID 1149 from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log
            - '-InstanceId 1149'
            - '.eventid -eq 1149'
            - '.ID -eq 1149'
            - 'EventCode=?1149?'
            - 'EventIdentifier=?1149?'
            - 'System[EventID=1149]'
            # This covers EID 21 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
            - '-InstanceId 21'
            - '.eventid -eq 21'
            - '.ID -eq 21'
            - 'EventCode=?21?'
            - 'EventIdentifier=?21?'
            - 'System[EventID=21]'
            # This covers EID 22 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
            - '-InstanceId 22'
            - '.eventid -eq 22'
            - '.ID -eq 22'
            - 'EventCode=?22?'
            - 'EventIdentifier=?22?'
            - 'System[EventID=22]'
    condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)
False Positives

Legitimate usage of the utility by administrators to query the event log

References
1
Resolving title…
blog.talosintelligence.com
2
Resolving title…
thedfirreport.com
3
Resolving title…
cisa.gov
4
Resolving title…
group-ib.com
5
Resolving title…
labs.withsecure.com
6
Resolving title…
learn.microsoft.com
7
Resolving title…
learn.microsoft.com
8
Resolving title…
solomonson.com
9
Resolving title…
learn.microsoft.com
10
Resolving title…
ptsecurity.com
11
Resolving title…
cybertriage.com
12
Resolving title…
ponderthebits.com
Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)
Positive Detection Testevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Related Rules
DerivedThreat Huntmedium

EventLog Query Requests By Builtin Utilities

Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
Status
test
Level
medium
Type
Detection
Created
Fri Sep 09
Modified
Tue Dec 02
Author
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml
Raw Tags
attack.credential-accessattack.discoveryattack.t1552attack.t1087
View on GitHub