Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

calendar Nov 20, 2023 · attack.credential_access attack.discovery attack.t1552  ·
Share on: linkedin copy

Detects execution of different log query utilities to search and dump the content of specific event logs or look for specific event IDs.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
 2id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
 3related:
 4    - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
 5      type: derived
 6status: experimental
 7description: |
 8        Detects execution of different log query utilities to search and dump the content of specific event logs or look for specific event IDs.
 9references:
10    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
11    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
12    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
13    - https://www.group-ib.com/blog/apt41-world-tour-2021/
14    - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
15    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
16    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
17    - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
18    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
19author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
20date: 2022/09/09
21modified: 2023/11/20
22tags:
23    - attack.credential_access
24    - attack.discovery
25    - attack.t1552
26logsource:
27    category: process_creation
28    product: windows
29detection:
30    selection_wmi:
31        CommandLine|contains|all:
32            - 'Select'
33            - 'Win32_NTLogEvent'
34    selection_wevtutil_img:
35        - Image|endswith: '\wevtutil.exe'
36        - OriginalFileName: 'wevtutil.exe'
37    selection_wevtutil_cli:
38        CommandLine|contains:
39            - ' qe '
40            - ' query-events '
41    selection_wmic_img:
42        - Image|endswith: '\wevtutil.exe'
43        - OriginalFileName: 'wevtutil.exe'
44    selection_wmic_cli:
45        CommandLine|contains: ' ntevent'
46    selection_cmdlet:
47        CommandLine|contains:
48            - 'Get-WinEvent '
49            - 'get-eventlog '
50    selection_logs_name:
51        CommandLine|contains:
52            # Note: Add more event log channels that are interesting for attackers
53            - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
54            - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational'
55            - 'Security'
56    selection_logs_eid:
57        CommandLine|contains:
58            # Note: We use the "?" to account for both a single and a double quote
59            # Note: Please add additional interesting event IDs
60            # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.
61            # This covers EID 4624 from Security Log
62            - '-InstanceId 4624'
63            - 'System[EventID=4624]'
64            - 'EventCode=?4624?'
65            - "EventIdentifier=?4624?"
66            # This covers EID 4778 from Security Log
67            - '-InstanceId 4778'
68            - 'System[EventID=4778]'
69            - 'EventCode=?4778?'
70            - "EventIdentifier=?4778?"
71            # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
72            - '-InstanceId 25'
73            - 'System[EventID=25]'
74            - 'EventCode=?25?'
75            - "EventIdentifier=?25?"
76    condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)
77falsepositives:
78    - Legitimate usage of the utility by administrators to query the event log
79level: medium

References

  • Lazarus and the tale of three RATs

    Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group.


    Read More

  • NetSupport Intrusion Results in Domain Compromise - The DFIR Report

    NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report … Read More


    Read More

  • People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection | CISA

    The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with ...


    Read More

  • https://www.group-ib.com/blog/apt41-world-tour-2021/


    Read More

  • ¦ ¦êö¿èüsyptÑafffv±ð €š¼#¹ˆjš®FÎ?oS~‹œ”Þ}2Ê'y–ºöùCï7Íl7èjhhôÆâuBÝßß#•³ª©‘Ós½½k ÷st—PAÇŠeô›ïIP`9�JÐ@çGd„çyÚÑ' tŠm‹¾üy+º.6Ý>þQ–húè¶NÇD=Ыr6zçl^íÐ`]¿_´tI½{Ã'©tÎ`ÝbóÏ]t˜™™™ýq󔀚¼...


    Read More

  • Get-WinEvent (Microsoft.PowerShell.Diagnostics) - PowerShell

    This cmdlet is only available on the Windows platform. The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs. The cmdlet gets data from event logs that are generated by the Windows Event Log technology introduced in Windows Vista and events in log files generated by Event Tracing for Windows (ETW). By default, Get-WinEvent returns event information in the order of newest to oldest. Get-WinEvent lists event logs and event log providers. To interrupt the command, press CTRL+C. You can get events from selected logs or from logs generated by selected event providers. And, you can combine events from multiple sources in a single command. Get-WinEvent allows you to filter events using XPath queries, structured XML queries, and hash table queries. If you're not running PowerShell as an Administrator, you might see error messages that you cannot retrieve information about a log.


    Read More

  • Get-EventLog (Microsoft.PowerShell.Management) - PowerShell

    The Get-EventLog cmdlet gets events and event logs from local and remote computers. By default, Get-EventLog gets logs from the local computer. To get logs from remote computers, use the ComputerName parameter. You can use the Get-EventLog parameters and property values to search for events. The cmdlet gets events that match the specified property values. PowerShell cmdlets that contain the EventLog noun work only on Windows classic event logs such as Application, System, or Security. To get logs that use the Windows Event Log technology in Windows Vista and later Windows versions, use Get-WinEvent. Note Get-EventLog uses a Win32 API that is deprecated. The results may not be accurate. Use the Get-WinEvent cmdlet instead.


    Read More

  • Reading EventViewer from the Command-Line

    Using wmic The wmic NTEVENT command can be used to dump out the contents of EventViewer logs to the command-line. Here’s an example: wmic NTEVENT WHERE "LogFile='security' AND TimeGenerated > '20100709173000.000000-300'" The TimeGenerated is NOT epoch, but is a string in the form of YYYYMMDDHHmmSS.uuuuuu-ZZZ where: Label Meaning Y Year M Month D Day H Hour m Minute S Second u Microsecond - Literally, a - Z Timezone offset in minutes from UTC (not hours) It’s also possible to add a GET to the query like so: wmic NTEVENT WHERE "LogFile='security' AND TimeGenerated > '20100709173000.


    Read More

  • wevtutil

    Reference article for wevtutil, which lets you retrieve information about event logs and publishers.


    Read More

Related rules

to-top