Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

calendar Dec 9, 2025 · attack.credential-access attack.discovery attack.t1552 attack.t1087  ·
Share on: linkedin copy

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

Sigma rule (View on GitHub)

  1title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
  2id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
  3related:
  4    - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
  5      type: derived
  6status: test
  7description: |
  8    Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
  9    This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.    
 10references:
 11    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
 12    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
 13    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
 14    - https://www.group-ib.com/blog/apt41-world-tour-2021/
 15    - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
 16    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
 17    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
 18    - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
 19    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
 20    - https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today
 21    - https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/
 22    - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
 23author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
 24date: 2022-09-09
 25modified: 2025-12-02
 26tags:
 27    - attack.credential-access
 28    - attack.discovery
 29    - attack.t1552
 30    - attack.t1087
 31logsource:
 32    category: process_creation
 33    product: windows
 34detection:
 35    selection_wmi:
 36        CommandLine|contains|all:
 37            - 'Select'
 38            - 'Win32_NTLogEvent'
 39    selection_wevtutil_img:
 40        - Image|endswith: '\wevtutil.exe'
 41        - OriginalFileName: 'wevtutil.exe'
 42    selection_wevtutil_cli:
 43        CommandLine|contains:
 44            - ' qe '
 45            - ' query-events '
 46    selection_wmic_img:
 47        - Image|endswith: '\wmic.exe'
 48        - OriginalFileName: 'wmic.exe'
 49    selection_wmic_cli:
 50        CommandLine|contains: ' ntevent'
 51    selection_cmdlet:
 52        CommandLine|contains:
 53            - 'Get-WinEvent '
 54            - 'get-eventlog '
 55    selection_logs_name:
 56        CommandLine|contains:
 57            # Note: Add more event log channels that are interesting for attackers
 58            - 'Microsoft-Windows-PowerShell'
 59            - 'Microsoft-Windows-Security-Auditing'
 60            - 'Microsoft-Windows-TerminalServices-LocalSessionManager'
 61            - 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
 62            - 'Microsoft-Windows-Windows Defender'
 63            - 'PowerShellCore'
 64            - 'Security'
 65            - 'Windows PowerShell'
 66    selection_logs_eid:
 67        CommandLine|contains:
 68            # Note: We use the "?" to account for both a single and a double quote
 69            # Note: Please add additional interesting event IDs
 70            # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.
 71            # This covers EID 4624 and 4628 from Security Log
 72            - '-InstanceId 462?'
 73            - '.eventid -eq 462?'
 74            - '.ID -eq 462?'
 75            - 'EventCode=?462?'
 76            - 'EventIdentifier=?462?'
 77            - 'System[EventID=462?]'
 78            # This covers EID 4778 from Security Log
 79            - '-InstanceId 4778'
 80            - '.eventid -eq 4778'
 81            - '.ID -eq 4778'
 82            - 'EventCode=?4778?'
 83            - 'EventIdentifier=?4778?'
 84            - 'System[EventID=4778]'
 85            # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
 86            - '-InstanceId 25'
 87            - '.eventid -eq 25'
 88            - '.ID -eq 25'
 89            - 'EventCode=?25?'
 90            - 'EventIdentifier=?25?'
 91            - 'System[EventID=25]'
 92            # This covers EID 1149 from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log
 93            - '-InstanceId 1149'
 94            - '.eventid -eq 1149'
 95            - '.ID -eq 1149'
 96            - 'EventCode=?1149?'
 97            - 'EventIdentifier=?1149?'
 98            - 'System[EventID=1149]'
 99            # This covers EID 21 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
100            - '-InstanceId 21'
101            - '.eventid -eq 21'
102            - '.ID -eq 21'
103            - 'EventCode=?21?'
104            - 'EventIdentifier=?21?'
105            - 'System[EventID=21]'
106            # This covers EID 22 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
107            - '-InstanceId 22'
108            - '.eventid -eq 22'
109            - '.ID -eq 22'
110            - 'EventCode=?22?'
111            - 'EventIdentifier=?22?'
112            - 'System[EventID=22]'
113    condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)
114falsepositives:
115    - Legitimate usage of the utility by administrators to query the event log
116level: medium
117regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/info.yml

References

  • Lazarus and the tale of three RATs

    Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group.


    Read More

  • NetSupport Intrusion Results in Domain Compromise

    NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report on a NetSupport RAT intrus…


    Read More

  • People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection | CISA

    Summary The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associat...


    Read More

  • https://www.group-ib.com/blog/apt41-world-tour-2021/


    Read More

  • ¦ ¦êö¿èüsyptÑafffv±ð €š¼#¹ˆjš®FÎ?oS~‹œ”Þ}2Ê'y–ºöùCï7Íl7èjhhôÆâuBÝßß#•³ª©‘Ós½½k ÷st—PAÇŠeô›ïIP`9�JÐ@çGd„çyÚÑ' tŠm‹¾üy+º.6Ý>þQ–húè¶NÇD=Ыr6zçl^íÐ`]¿_´tI½{Ã'©tÎ`ÝbóÏ]t˜™™™ýq󔀚¼...


    Read More

  • Get-WinEvent (Microsoft.PowerShell.Diagnostics) - PowerShell

    This cmdlet is only available on the Windows platform. The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs. The cmdlet gets data from event logs that are generated by the Windows Event Log technology introduced in Windows Vista and events in log files generated by Event Tracing for Windows (ETW). By default, Get-WinEvent returns event information in the order of newest to oldest. Get-WinEvent lists event logs and event log providers. To interrupt the command, press CTRL+C. You can get events from selected logs or from logs generated by selected event providers. And, you can combine events from multiple sources in a single command. Get-WinEvent allows you to filter events using XPath queries, structured XML queries, and hash table queries. If you're not running PowerShell as an Administrator, you might see error messages that you cannot retrieve information about a log.


    Read More

  • Get-EventLog (Microsoft.PowerShell.Management) - PowerShell

    The Get-EventLog cmdlet gets events and event logs from local and remote computers. By default, Get-EventLog gets logs from the local computer. To get logs from remote computers, use the ComputerName parameter. You can use the Get-EventLog parameters and property values to search for events. The cmdlet gets events that match the specified property values. PowerShell cmdlets that contain the EventLog noun work only on Windows classic event logs such as Application, System, or Security. To get logs that use the Windows Event Log technology in Windows Vista and later Windows versions, use Get-WinEvent. Note Get-EventLog uses a Win32 API that is deprecated. The results may not be accurate. Use the Get-WinEvent cmdlet instead.


    Read More

  • Reading EventViewer from the Command-Line

    Using wmic The wmic NTEVENT command can be used to dump out the contents of EventViewer logs to the command-line. Here’s an example: wmic NTEVENT WHERE "LogFile='security' AND TimeGenerated > '20100709173000.000000-300'" The TimeGenerated is NOT epoch, but is a string in the form of YYYYMMDDHHmmSS.uuuuuu-ZZZ where: Label Meaning Y Year M Month D Day H Hour m Minute S Second u Microsecond - Literally, a - Z Timezone offset in minutes from UTC (not hours) It’s also possible to add a GET to the query like so: wmic NTEVENT WHERE "LogFile='security' AND TimeGenerated > '20100709173000.


    Read More

  • wevtutil

    Reference article for wevtutil, which lets you retrieve information about event logs and publishers.


    Read More

  • APT31 — кибершпионская группа, нацеленная в основном на промышленный шпионаж и кражу интеллектуальной собственности. Группа маскирует свои инструменты под легитимное программное обеспечение. Для со...


    Read More

  • Windows Terminal Server - Remote Connection Manager Log

    What Is It? The “Windows Terminal Server – Remote Connection...


    Read More

  • Windows RDP-Related Event Logs: Identification, Tracking, and Investigation | Ponder The Bits

    A cohesive and comprehensive walk-through of the most common and empirically useful RDP-related Windows Event Log Sources and ID's, grouped by stage of occurrence (Connection, Authentication, Logon, Disconnect/Reconnect, Logoff).


    Read More

Related rules

to-top