Date: 12/10/2024
Severity: Medium
Summary
Detectives attempt to query event log contents using command-line utilities. Attackers often use this technique to search logs for sensitive information, such as passwords, usernames, or IP addresses.
Indicators of Compromise (IOC) List
CommandLine : | - 'Select' - 'Win32_NTLogEvent' - ' qe ' - ' query-events ' ' ntevent' - 'Get-WinEvent ' - 'get-eventlog ' |
Image : | '\wevtutil.exe' '\wmic.exe' |
OriginalFileName : | 'Wevtutil.exe' 'wmic.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | (resourcename = "Windows Security" AND eventtype = "4688" ) AND (processname like "\wevtutil.exe" AND (commandline like "qe" AND commandline like "query-events")) OR (commandline like "Select" and commandline like "Win32_NTLogEvent") OR (processname like "\wmic.exe" AND commandline like "ntevent") OR (commandline like "'Get-WinEvent" AND commandline like "get-eventlog") |
Detection Query 2 : | (technologygroup = "EDR" ) AND (processname like "\wevtutil.exe" AND (commandline like "qe" AND commandline like "query-events")) OR (commandline like "Select" and commandline like "Win32_NTLogEvent") OR (processname like "\wmic.exe" AND commandline like "ntevent") OR (commandline like "'Get-WinEvent" AND commandline like "get-eventlog") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml