Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

 1title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
 2id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
 3related:
 4    - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
 5      type: derived
 6status: experimental
 7description: |
 8    Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
 9    This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.    
10references:
11    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
12    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
13    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
14    - https://www.group-ib.com/blog/apt41-world-tour-2021/
15    - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
16    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
17    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
18    - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
19    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
20author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
21date: 2022/09/09
22modified: 2024/01/02
23tags:
24    - attack.credential_access
25    - attack.discovery
26    - attack.t1552
27logsource:
28    category: process_creation
29    product: windows
30detection:
31    selection_wmi:
32        CommandLine|contains|all:
33            - 'Select'
34            - 'Win32_NTLogEvent'
35    selection_wevtutil_img:
36        - Image|endswith: '\wevtutil.exe'
37        - OriginalFileName: 'wevtutil.exe'
38    selection_wevtutil_cli:
39        CommandLine|contains:
40            - ' qe '
41            - ' query-events '
42    selection_wmic_img:
43        - Image|endswith: '\wmic.exe'
44        - OriginalFileName: 'wmic.exe'
45    selection_wmic_cli:
46        CommandLine|contains: ' ntevent'
47    selection_cmdlet:
48        CommandLine|contains:
49            - 'Get-WinEvent '
50            - 'get-eventlog '
51    selection_logs_name:
52        CommandLine|contains:
53            # Note: Add more event log channels that are interesting for attackers
54            - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
55            - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational'
56            - 'Security'
57    selection_logs_eid:
58        CommandLine|contains:
59            # Note: We use the "?" to account for both a single and a double quote
60            # Note: Please add additional interesting event IDs
61            # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.
62            # This covers EID 4624 from Security Log
63            - '-InstanceId 4624'
64            - 'System[EventID=4624]'
65            - 'EventCode=?4624?'
66            - "EventIdentifier=?4624?"
67            # This covers EID 4778 from Security Log
68            - '-InstanceId 4778'
69            - 'System[EventID=4778]'
70            - 'EventCode=?4778?'
71            - "EventIdentifier=?4778?"
72            # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
73            - '-InstanceId 25'
74            - 'System[EventID=25]'
75            - 'EventCode=?25?'
76            - "EventIdentifier=?25?"
77    condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)
78falsepositives:
79    - Legitimate usage of the utility by administrators to query the event log
80level: medium

References

• Lazarus and the tale of three RATs

  

  Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group.

  
  Read More

• NetSupport Intrusion Results in Domain Compromise - The DFIR Report

  

  NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report … Read More

  
  Read More

• People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection | CISA

  

  The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with ...

  
  Read More

• https://www.group-ib.com/blog/apt41-world-tour-2021/

  
  Read More

• ¦ ¦êö¿èüsyptÑafffv±ð €š¼#¹ˆjš®FÎ?oS~‹œ”Þ}2Ê'y–ºöùCï7Íl7èjhhôÆâuBÝßß#•³ª©‘Ós½½k ÷st—PAÇŠeô›ïIP`9�JÐ@çGd„çyÚÑ' tŠm‹¾üy+º.6Ý>þQ–húè¶NÇD=Ыr6zçl^íÐ`]¿_´tI½{Ã'©tÎ`ÝbóÏ]t˜™™™ýq󔀚¼...

  
  Read More

• Get-WinEvent (Microsoft.PowerShell.Diagnostics) - PowerShell

  

  This cmdlet is only available on the Windows platform. The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs. The cmdlet gets data from event logs that are generated by the Windows Event Log technology introduced in Windows Vista and events in log files generated by Event Tracing for Windows (ETW). By default, Get-WinEvent returns event information in the order of newest to oldest. Get-WinEvent lists event logs and event log providers. To interrupt the command, press CTRL+C. You can get events from selected logs or from logs generated by selected event providers. And, you can combine events from multiple sources in a single command. Get-WinEvent allows you to filter events using XPath queries, structured XML queries, and hash table queries. If you're not running PowerShell as an Administrator, you might see error messages that you cannot retrieve information about a log.

  
  Read More

• Get-EventLog (Microsoft.PowerShell.Management) - PowerShell

  

  The Get-EventLog cmdlet gets events and event logs from local and remote computers. By default, Get-EventLog gets logs from the local computer. To get logs from remote computers, use the ComputerName parameter. You can use the Get-EventLog parameters and property values to search for events. The cmdlet gets events that match the specified property values. PowerShell cmdlets that contain the EventLog noun work only on Windows classic event logs such as Application, System, or Security. To get logs that use the Windows Event Log technology in Windows Vista and later Windows versions, use Get-WinEvent. Note Get-EventLog uses a Win32 API that is deprecated. The results may not be accurate. Use the Get-WinEvent cmdlet instead.

  
  Read More

• Reading EventViewer from the Command-Line

  Using wmic The wmic NTEVENT command can be used to dump out the contents of EventViewer logs to the command-line. Here’s an example: wmic NTEVENT WHERE "LogFile='security' AND TimeGenerated > '20100709173000.000000-300'" The TimeGenerated is NOT epoch, but is a string in the form of YYYYMMDDHHmmSS.uuuuuu-ZZZ where: Label Meaning Y Year M Month D Day H Hour m Minute S Second u Microsecond - Literally, a - Z Timezone offset in minutes from UTC (not hours) It’s also possible to add a GET to the query like so: wmic NTEVENT WHERE "LogFile='security' AND TimeGenerated > '20100709173000.

  
  Read More

• wevtutil

  

  Reference article for wevtutil, which lets you retrieve information about event logs and publishers.

  
  Read More

Related rules

• Potential Network Sniffing Activity Using Network Tools
• HackTool - WinPwn Execution
• HackTool - WinPwn Execution - ScriptBlock
• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript