Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
Source: upstream

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1552` Unsecured Credentials
Discovery	`T1087` Account Discovery

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `1 of selection_logs_name`

or:
CommandLine|contains: Microsoft-Windows-PowerShell
CommandLine|contains: 'Microsoft-Windows-Security-Auditing'
CommandLine|contains: 'Microsoft-Windows-TerminalServices-LocalSessionManager'
CommandLine|contains: 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
CommandLine|contains: 'Microsoft-Windows-Windows Defender'
CommandLine|contains: PowerShellCore
CommandLine|contains: Security
CommandLine|contains: 'Windows PowerShell'

Stage 2: `1 of selection_logs_eid`

or:
CommandLine|contains: '-InstanceId 1149'
CommandLine|contains: '-InstanceId 21'
CommandLine|contains: '-InstanceId 22'
CommandLine|contains: '-InstanceId 25'
CommandLine|contains: '-InstanceId 462?'
CommandLine|contains: '-InstanceId 4778'
CommandLine|contains: '.ID -eq 1149'
CommandLine|contains: '.ID -eq 21'
CommandLine|contains: '.ID -eq 22'
CommandLine|contains: '.ID -eq 25'
CommandLine|contains: '.ID -eq 462?'
CommandLine|contains: '.ID -eq 4778'
CommandLine|contains: '.eventid -eq 1149'
CommandLine|contains: '.eventid -eq 21'
CommandLine|contains: '.eventid -eq 22'
CommandLine|contains: '.eventid -eq 25'
CommandLine|contains: '.eventid -eq 462?'
CommandLine|contains: '.eventid -eq 4778'
CommandLine|contains: 'EventCode=?1149?'
CommandLine|contains: 'EventCode=?21?'
CommandLine|contains: 'EventCode=?22?'
CommandLine|contains: 'EventCode=?25?'
CommandLine|contains: 'EventCode=?462?'
CommandLine|contains: 'EventCode=?4778?'
CommandLine|contains: 'EventIdentifier=?1149?'
CommandLine|contains: 'EventIdentifier=?21?'
CommandLine|contains: 'EventIdentifier=?22?'
CommandLine|contains: 'EventIdentifier=?25?'
CommandLine|contains: 'EventIdentifier=?462?'
CommandLine|contains: 'EventIdentifier=?4778?'
CommandLine|contains: 'System[EventID=1149]'
CommandLine|contains: 'System[EventID=21]'
CommandLine|contains: 'System[EventID=22]'
CommandLine|contains: 'System[EventID=25]'
CommandLine|contains: 'System[EventID=462?]'
CommandLine|contains: 'System[EventID=4778]'

Stage 3: `selection_wmi`

CommandLine|contains: Select
CommandLine|contains: Win32_NTLogEvent

Stage 4: `all of selection_wevtutil_img`

or:
Image|endswith: '\wevtutil.exe'
OriginalFileName: wevtutil.exe

Stage 5: `all of selection_wevtutil_cli`

or:
CommandLine|contains: ' qe '
CommandLine|contains: ' query-events '

Stage 6: `all of selection_wmic_img`

or:
Image|endswith: '\wmic.exe'
OriginalFileName: wmic.exe

Stage 7: `all of selection_wmic_cli`

CommandLine|contains: ' ntevent'

Stage 8: `selection_cmdlet`

or:
CommandLine|contains: 'Get-WinEvent '
CommandLine|contains: 'get-eventlog '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`ntevent` `qe` `query-events` `-InstanceId 1149` `-InstanceId 21` `-InstanceId 22` `-InstanceId 25` `-InstanceId 462?` `-InstanceId 4778` `.ID -eq 1149` `.ID -eq 21` `.ID -eq 22` `.ID -eq 25` `.ID -eq 462?` `.ID -eq 4778` `.eventid -eq 1149` `.eventid -eq 21` `.eventid -eq 22` `.eventid -eq 25` `.eventid -eq 462?` `.eventid -eq 4778` `EventCode=?1149?` `EventCode=?21?` `EventCode=?22?` `EventCode=?25?` `EventCode=?462?` `EventCode=?4778?` `EventIdentifier=?1149?` `EventIdentifier=?21?` `EventIdentifier=?22?` `EventIdentifier=?25?` `EventIdentifier=?462?` `EventIdentifier=?4778?` `Get-WinEvent` `Microsoft-Windows-PowerShell` `Microsoft-Windows-Security-Auditing` `Microsoft-Windows-TerminalServices-LocalSessionManager` `Microsoft-Windows-TerminalServices-RemoteConnectionManager` `Microsoft-Windows-Windows Defender` `PowerShellCore` `Security` `Select` `System[EventID=1149]` `System[EventID=21]` `System[EventID=22]` `System[EventID=25]` `System[EventID=462?]` `System[EventID=4778]` `Win32_NTLogEvent` `Windows PowerShell` `get-eventlog`
`Image`	ends_with	`\wevtutil.exe` corpus 6 (sigma 6) `\wmic.exe` corpus 37 (sigma 37)
`OriginalFileName`	eq	`wevtutil.exe` corpus 4 (sigma 4) `wmic.exe` corpus 33 (sigma 33)

Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: 1 of selection_logs_name

Stage 2: 1 of selection_logs_eid

Stage 3: selection_wmi

Stage 4: all of selection_wevtutil_img

Stage 5: all of selection_wevtutil_cli

Stage 6: all of selection_wmic_img

Stage 7: all of selection_wmic_cli

Stage 8: selection_cmdlet