PowerShell Write-EventLog Usage
Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use
Sigma rule (View on GitHub)
1title: PowerShell Write-EventLog Usage
2id: 35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e
3status: test
4description: Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use
5references:
6 - https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/16
9tags:
10 - attack.defense_evasion
11logsource:
12 product: windows
13 category: ps_script
14 definition: 'Requirements: Script Block Logging must be enabled'
15detection:
16 selection:
17 ScriptBlockText|contains|all:
18 - 'Write-EventLog'
19 - '-RawData '
20 condition: selection
21falsepositives:
22 - Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign
23level: medium
References
-
Tim Fowler // Do you know what could be lurking in your Windows event logs? In May of 2022, I was sent a Threat Post article about a new technique […]
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons