WinEvent Security Query
Detects querying of Windows Security log for account activity
Sigma rule (View on GitHub)
1title: WinEvent Security Query
2id: 0b4a3c5d-75f0-4483-91fc-13ef54380aea
3status: Experimental
4description: Detects querying of Windows Security log for account activity
5author: _pete_0, TheDFIRReport
6references:
7 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
8 - https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware
9date: 2023-04-02
10modified: 2024-02-23
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 CommandLine|contains:
17 - 'get-eventlog'
18 - 'security'
19 - 'export-csv'
20 Image|endswith:
21 - '\powershell.exe'
22 condition: all of selection
23fields:
24 - CommandLine
25falsepositives:
26 - Unknown
27level: high
28tags:
29 - attack.t1033
References
-
The Get-EventLog cmdlet gets events and event logs from local and remote computers. By default, Get-EventLog gets logs from the local computer. To get logs from remote computers, use the ComputerName parameter. You can use the Get-EventLog parameters and property values to search for events. The cmdlet gets events that match the specified property values. PowerShell cmdlets that contain the EventLog noun work only on Windows classic event logs such as Application, System, or Security. To get logs that use the Windows Event Log technology in Windows Vista and later Windows versions, use Get-WinEvent. Note Get-EventLog uses a Win32 API that is deprecated. The results may not be accurate. Use the Get-WinEvent cmdlet instead.
Read More -
IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and…
Read More