Suspicious Use of PsLogList

Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs

Sigma rule (View on GitHub)

 1title: Suspicious Use of PsLogList
 2id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
 3status: test
 4description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
 5references:
 6    - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
 7    - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
 8    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
 9    - https://twitter.com/EricaZelic/status/1614075109827874817
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2021/12/18
12modified: 2023/01/16
13tags:
14    - attack.discovery
15    - attack.t1087
16    - attack.t1087.001
17    - attack.t1087.002
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - OriginalFileName: 'psloglist.exe'
24        - Image|endswith:
25              - '\psloglist.exe'
26              - '\psloglist64.exe'
27    selection_cli_eventlog:
28        CommandLine|contains:
29            - ' security'
30            - ' application'
31            - ' system'
32    selection_cli_flags:
33        CommandLine|contains:
34            - ' -d'
35            - ' /d'
36            - ' -x'
37            - ' /x'
38            - ' -s'
39            - ' /s'
40            - ' -c' # Clear event log after displaying
41            - ' /c'
42            - ' -g' # Export an event log as an evt file.
43            - ' /g'
44    condition: all of selection_*
45falsepositives:
46    - Another tool that uses the command line switches of PsLogList
47    - Legitimate use of PsLogList by an administrator
48level: medium

References

Related rules

to-top