Florian Roth
43 lines
1.3 KiB
YAML
43 lines
1.3 KiB
YAML
title: Suspicious Use of PsLogList
|
|
id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
|
|
description: Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.
|
|
status: experimental
|
|
references:
|
|
- https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
|
|
- https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
|
|
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
|
|
author: Nasreddine Bencherchali @nas_bench
|
|
date: 2021/12/18
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1087
|
|
- attack.t1087.001
|
|
- attack.t1087.002
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
OriginalFileName|contains: 'psloglist'
|
|
selection2:
|
|
Image|endswith:
|
|
- '\psloglist.exe'
|
|
- '\psloglist64.exe'
|
|
flags:
|
|
CommandLine|contains:
|
|
- '-d'
|
|
- '/d'
|
|
- '-x'
|
|
- '/x'
|
|
- '-s'
|
|
- '/s'
|
|
other:
|
|
CommandLine|contains|all:
|
|
- 'security'
|
|
- 'accepteula'
|
|
condition: (1 of selection*) or (flags and other)
|
|
falsepositives:
|
|
- Another tool that uses the command line switches of PsLogList
|
|
- Legitimate use of PsLogList by an administrator
|
|
level: medium
|