Windows EventLog Reconnaissance Activity Detection
This detection identifies potential reconnaissance activities on Windows systems by adversaries using tools like `wevtutil.exe`, `wmic.exe`, and PowerShell cmdlets to query event logs for sensitive information.
This analytic detects EventLog reconnaissance activity using utilities such as wevtutil.exe, wmic.exe, PowerShell cmdlets like Get-WinEvent, or WMI queries targeting Win32_NTLogEvent. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. These tools are often used by adversaries to extract usernames, IP addresses, session data, and event information for credential access or situational awareness during lateral movement. While these utilities are legitimate, execution with specific arguments or targeting sensitive logs like Security, PowerShell, or specific EventIDs (e.g., 4624, 4778) can indicate malicious intent. This activity, if confirmed malicious, allows an attacker to extract sensitive information, potentially enabling lateral movement and further compromise within the network. The references section contains links to various threat reports that describe similar reconnaissance activity in real-world attacks.
Attack Chain
- The attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
- The attacker executes
powershell.exeorpwsh.exeto run PowerShell commands. - The attacker uses
Get-WinEventorGet-EventLogcmdlets to query specific event logs, such as theSecurityorPowerShellevent logs. - Alternatively, the attacker executes
wevtutil.exewith theqe(query events) orquery-eventsoptions to retrieve event log data. - The attacker might use
wmic.exeto queryWin32_NTLogEventto enumerate event logs and their contents. - The attacker parses the retrieved event log data, searching for sensitive information like usernames, IP addresses, and login events (Event ID 4624).
- The attacker uses the gathered information to identify potential targets for lateral movement or to escalate privileges.
- The attacker attempts to use compromised credentials to access other systems or resources within the network, furthering their objectives.
Impact
A successful attack can lead to the compromise of sensitive information stored in Windows Event Logs. This could include user credentials, system configurations, and other valuable data. An attacker can use this information to move laterally within the network, escalate privileges, and ultimately achieve their objectives, such as data exfiltration or deploying ransomware. Successful attacks exploiting these techniques have been observed in multiple incidents, including those attributed to Lazarus Group and APT41.
Recommendation
- Deploy the "Windows EventLog Recon Activity Using Log Query Utilities" analytic to your SIEM and tune for your environment.
- Enable Sysmon EventID 1 (process creation) and Windows Event Log Security 4688 to provide the necessary data for the detection.
- Monitor process command lines for the use of
wevtutil.exe,wmic.exe, and PowerShell cmdlets likeGet-WinEventwith parameters targeting sensitive event logs as described in the rule. - Investigate any alerts generated by the detection, filtering out known legitimate uses by system administrators or monitoring tools to reduce false positives.
- Review the references section for additional context on real-world attacks that utilize similar techniques.
Detection coverage 3
Detect PowerShell Event Log Querying
mediumDetects PowerShell commands used to query event logs, which may indicate reconnaissance activity.
Detect wevtutil.exe Event Log Query
mediumDetects the use of wevtutil.exe to query event logs, a technique used for reconnaissance.
Detect WMIC Event Log Query
mediumDetects the use of wmic.exe to query event logs, a technique used for reconnaissance.
Detection queries are available on the platform. Get full rules →