Suspicious Use of PsLogList

calendar Mar 11, 2024 · attack.discovery attack.t1087 attack.t1087.001 attack.t1087.002  ·
Share on: linkedin copy

Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs

Sigma rule (View on GitHub)

 1title: Suspicious Use of PsLogList
 2id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
 3status: test
 4description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
 5references:
 6    - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
 7    - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
 8    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
 9    - https://twitter.com/EricaZelic/status/1614075109827874817
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2021/12/18
12modified: 2024/03/05
13tags:
14    - attack.discovery
15    - attack.t1087
16    - attack.t1087.001
17    - attack.t1087.002
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - OriginalFileName: 'psloglist.exe'
24        - Image|endswith:
25              - '\psloglist.exe'
26              - '\psloglist64.exe'
27    selection_cli_eventlog:
28        CommandLine|contains:
29            - ' security'
30            - ' application'
31            - ' system'
32    selection_cli_flags:
33        CommandLine|contains|windash:
34            - ' -d'
35            - ' -x'
36            - ' -s'
37            - ' -c' # Clear event log after displaying
38            - ' -g' # Export an event log as an evt file.
39    condition: all of selection_*
40falsepositives:
41    - Another tool that uses the command line switches of PsLogList
42    - Legitimate use of PsLogList by an administrator
43level: medium

References

Related rules

to-top