Suspicious Use of PsLogList
Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
Sigma rule (View on GitHub)
1title: Suspicious Use of PsLogList
2id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
3status: test
4description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
5references:
6 - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
7 - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
8 - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
9 - https://twitter.com/EricaZelic/status/1614075109827874817
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2021-12-18
12modified: 2024-03-05
13tags:
14 - attack.discovery
15 - attack.t1087
16 - attack.t1087.001
17 - attack.t1087.002
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - OriginalFileName: 'psloglist.exe'
24 - Image|endswith:
25 - '\psloglist.exe'
26 - '\psloglist64.exe'
27 selection_cli_eventlog:
28 CommandLine|contains:
29 - ' security'
30 - ' application'
31 - ' system'
32 selection_cli_flags:
33 CommandLine|contains|windash:
34 - ' -d'
35 - ' -x'
36 - ' -s'
37 - ' -c' # Clear event log after displaying
38 - ' -g' # Export an event log as an evt file.
39 condition: all of selection_*
40falsepositives:
41 - Another tool that uses the command line switches of PsLogList
42 - Legitimate use of PsLogList by an administrator
43level: medium
References
Related rules
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Commandlets - ScriptBlock
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution