Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Sigma rule (View on GitHub)
1title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
2id: e2812b49-bae0-4b21-b366-7c142eafcde2
3status: test
4description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
5references:
6 - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-07-13
9tags:
10 - attack.defense-evasion
11logsource:
12 category: ps_script
13 product: windows
14 definition: bade5735-5ab0-4aa7-a642-a11be0e40872
15detection:
16 selection_class:
17 ScriptBlockText|contains: 'Win32_NTEventlogFile'
18 selection_function:
19 ScriptBlockText|contains:
20 - '.BackupEventlog('
21 - '.ChangeSecurityPermissions('
22 - '.ChangeSecurityPermissionsEx('
23 - '.ClearEventLog('
24 - '.Delete('
25 - '.DeleteEx('
26 - '.Rename('
27 - '.TakeOwnerShip('
28 - '.TakeOwnerShipEx('
29 condition: all of selection_*
30falsepositives:
31 - Legitimate administration and backup scripts
32level: medium
References
-
Win32_NTEventlogFile class Article 08/31/2015 The Win32_NTEventlogFile WMI class represents a logical file or directory of operating system events. The file is also known as the event log. The foll...
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity