Skip to content
Threat Feed
medium advisory

Windows EventLog Reconnaissance Activity Detection

This detection identifies potential reconnaissance activities on Windows systems by adversaries using tools like `wevtutil.exe`, `wmic.exe`, and PowerShell cmdlets to query event logs for sensitive information.

This analytic detects EventLog reconnaissance activity using utilities such as wevtutil.exe, wmic.exe, PowerShell cmdlets like Get-WinEvent, or WMI queries targeting Win32_NTLogEvent. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. These tools are often used by adversaries to extract usernames, IP addresses, session data, and event information for credential access or situational awareness during lateral movement. While these utilities are legitimate, execution with specific arguments or targeting sensitive logs like Security, PowerShell, or specific EventIDs (e.g., 4624, 4778) can indicate malicious intent. This activity, if confirmed malicious, allows an attacker to extract sensitive information, potentially enabling lateral movement and further compromise within the network. The references section contains links to various threat reports that describe similar reconnaissance activity in real-world attacks.

Attack Chain

  1. The attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
  2. The attacker executes powershell.exe or pwsh.exe to run PowerShell commands.
  3. The attacker uses Get-WinEvent or Get-EventLog cmdlets to query specific event logs, such as the Security or PowerShell event logs.
  4. Alternatively, the attacker executes wevtutil.exe with the qe (query events) or query-events options to retrieve event log data.
  5. The attacker might use wmic.exe to query Win32_NTLogEvent to enumerate event logs and their contents.
  6. The attacker parses the retrieved event log data, searching for sensitive information like usernames, IP addresses, and login events (Event ID 4624).
  7. The attacker uses the gathered information to identify potential targets for lateral movement or to escalate privileges.
  8. The attacker attempts to use compromised credentials to access other systems or resources within the network, furthering their objectives.

Impact

A successful attack can lead to the compromise of sensitive information stored in Windows Event Logs. This could include user credentials, system configurations, and other valuable data. An attacker can use this information to move laterally within the network, escalate privileges, and ultimately achieve their objectives, such as data exfiltration or deploying ransomware. Successful attacks exploiting these techniques have been observed in multiple incidents, including those attributed to Lazarus Group and APT41.

Recommendation

  • Deploy the "Windows EventLog Recon Activity Using Log Query Utilities" analytic to your SIEM and tune for your environment.
  • Enable Sysmon EventID 1 (process creation) and Windows Event Log Security 4688 to provide the necessary data for the detection.
  • Monitor process command lines for the use of wevtutil.exe, wmic.exe, and PowerShell cmdlets like Get-WinEvent with parameters targeting sensitive event logs as described in the rule.
  • Investigate any alerts generated by the detection, filtering out known legitimate uses by system administrators or monitoring tools to reduce false positives.
  • Review the references section for additional context on real-world attacks that utilize similar techniques.

Detection coverage 3

Detect PowerShell Event Log Querying

medium

Detects PowerShell commands used to query event logs, which may indicate reconnaissance activity.

sigma tactics: discovery techniques: T1654 sources: process_creation, windows

Detect wevtutil.exe Event Log Query

medium

Detects the use of wevtutil.exe to query event logs, a technique used for reconnaissance.

sigma tactics: discovery techniques: T1654 sources: process_creation, windows

Detect WMIC Event Log Query

medium

Detects the use of wmic.exe to query event logs, a technique used for reconnaissance.

sigma tactics: discovery techniques: T1654 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →