-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge PR #4532 from @alwashali - Update EventLog Query Related Rules
new: EventLog Query Requests By Builtin Utilities update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Enhanced logic from simply covering wevtutil to covering other tools and conditions. --------- Co-authored-by: nasbench <[email protected]> Co-authored-by: phantinuss <[email protected]>
- Loading branch information
3 people
authored
Nov 20, 2023
1 parent
2d63859
commit bb97300
Showing
3 changed files
with
126 additions
and
30 deletions.
There are no files selected for viewing
47 changes: 47 additions & 0 deletions
47
rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| title: EventLog Query Requests By Builtin Utilities | ||
| id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f | ||
| related: | ||
| - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf | ||
| type: derived | ||
| status: experimental | ||
| description: | | ||
| Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. | ||
| references: | ||
| - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 | ||
| - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 | ||
| - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ | ||
| - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil | ||
| author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems) | ||
| date: 2023/11/20 | ||
| tags: | ||
| - attack.t1552 | ||
| - attack.credential_access | ||
| - detection.threat_hunting | ||
| logsource: | ||
| product: windows | ||
| category: process_creation | ||
| detection: | ||
| selection_wmi: | ||
| CommandLine|contains|all: | ||
| - 'Select' | ||
| - 'Win32_NTLogEvent' | ||
| selection_wevtutil_img: | ||
| - Image|endswith: '\wevtutil.exe' | ||
| - OriginalFileName: 'wevtutil.exe' | ||
| selection_wevtutil_cli: | ||
| CommandLine|contains: | ||
| - ' qe ' | ||
| - ' query-events ' | ||
| selection_wmic_img: | ||
| - Image|endswith: '\wevtutil.exe' | ||
| - OriginalFileName: 'wevtutil.exe' | ||
| selection_wmic_cli: | ||
| CommandLine|contains: ' ntevent' | ||
| selection_cmdlet: | ||
| CommandLine|contains: | ||
| - 'Get-WinEvent ' | ||
| - 'get-eventlog ' | ||
| condition: selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet | ||
| falsepositives: | ||
| - Legitimate log access by administrators or troubleshooting tools | ||
| level: medium |
79 changes: 79 additions & 0 deletions
79
rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities | ||
| id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf | ||
| related: | ||
| - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f | ||
| type: derived | ||
| status: experimental | ||
| description: | | ||
| Detects execution of different log query utilities to search and dump the content of specific event logs or look for specific event IDs. | ||
| references: | ||
| - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html | ||
| - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ | ||
| - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a | ||
| - https://www.group-ib.com/blog/apt41-world-tour-2021/ | ||
| - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf | ||
| - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 | ||
| - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 | ||
| - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ | ||
| - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil | ||
| author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) | ||
| date: 2022/09/09 | ||
| modified: 2023/11/20 | ||
| tags: | ||
| - attack.credential_access | ||
| - attack.discovery | ||
| - attack.t1552 | ||
| logsource: | ||
| category: process_creation | ||
| product: windows | ||
| detection: | ||
| selection_wmi: | ||
| CommandLine|contains|all: | ||
| - 'Select' | ||
| - 'Win32_NTLogEvent' | ||
| selection_wevtutil_img: | ||
| - Image|endswith: '\wevtutil.exe' | ||
| - OriginalFileName: 'wevtutil.exe' | ||
| selection_wevtutil_cli: | ||
| CommandLine|contains: | ||
| - ' qe ' | ||
| - ' query-events ' | ||
| selection_wmic_img: | ||
| - Image|endswith: '\wevtutil.exe' | ||
| - OriginalFileName: 'wevtutil.exe' | ||
| selection_wmic_cli: | ||
| CommandLine|contains: ' ntevent' | ||
| selection_cmdlet: | ||
| CommandLine|contains: | ||
| - 'Get-WinEvent ' | ||
| - 'get-eventlog ' | ||
| selection_logs_name: | ||
| CommandLine|contains: | ||
| # Note: Add more event log channels that are interesting for attackers | ||
| - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' | ||
| - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational' | ||
| - 'Security' | ||
| selection_logs_eid: | ||
| CommandLine|contains: | ||
| # Note: We use the "?" to account for both a single and a double quote | ||
| # Note: Please add additional interesting event IDs | ||
| # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers. | ||
| # This covers EID 4624 from Security Log | ||
| - '-InstanceId 4624' | ||
| - 'System[EventID=4624]' | ||
| - 'EventCode=?4624?' | ||
| - "EventIdentifier=?4624?" | ||
| # This covers EID 4778 from Security Log | ||
| - '-InstanceId 4778' | ||
| - 'System[EventID=4778]' | ||
| - 'EventCode=?4778?' | ||
| - "EventIdentifier=?4778?" | ||
| # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log | ||
| - '-InstanceId 25' | ||
| - 'System[EventID=25]' | ||
| - 'EventCode=?25?' | ||
| - "EventIdentifier=?25?" | ||
| condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet) | ||
| falsepositives: | ||
| - Legitimate usage of the utility by administrators to query the event log | ||
| level: medium |
30 changes: 0 additions & 30 deletions
30
rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml
This file was deleted.
Oops, something went wrong.