public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-19 17:04:21 +02:00
Code Issues Projects Releases Wiki Activity

Fix formatting issues

Browse Source
This commit is contained in:
Tonmoy Jitu 2024-11-25 20:17:04 +11:00
parent 0986609c4b
commit 8cc231328f
No known key found for this signature in database
GPG Key ID: 5268921F49EE80A1
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
yml/OSBinaries/Wevtutil.yml
View File

@ -20,7 +20,7 @@ Commands:
OperatingSystem: Windows Vista and later OperatingSystem: Windows Vista and later
- Command: wevtutil qe Security /f:xml > exported_logs.xml - Command: wevtutil qe Security /f:xml > exported_logs.xml
Description: Queries the Security event log and exports its contents in XML format to a file. Description: Queries the Security event log and exports its contents in XML format to a file.
Usecase: sed to exfiltrate Security log data for analysis. The XML format allows attackers to parse and extract detailed information about audit events, user activity, or security configurations. Usecase: Used to exfiltrate Security log data for analysis. The XML format allows attackers to parse and extract detailed information about audit events, user activity, or security configurations.
Category: Dump Category: Dump
Privileges: Administrator Privileges: Administrator
MitreID: T1005 MitreID: T1005
@ -29,15 +29,15 @@ Full_Path:
- Path: C:\Windows\System32\wevtutil.exe - Path: C:\Windows\System32\wevtutil.exe
- Path: C:\Windows\SysWOW64\wevtutil.exe - Path: C:\Windows\SysWOW64\wevtutil.exe
Code_Sample: Code_Sample:
- Code: - Code: https://example.com/sample-code
Detection: Detection:
- IOC: Use of wevtutil cl in command-line logs. - IOC: Use of wevtutil cl in command-line logs.
- IOC: Multiple wevtutil qe commands targeting specific Event IDs. - IOC: Multiple wevtutil qe commands targeting specific Event IDs.
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml
- Splunk: https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_a_ransomware_attack/Wevtutil.exe_abuse - Splunk: https://lantern.splunk.com/Security/UCE/Guided_Insights/Threat_hunting/Detecting_a_ransomware_attack/Wevtutil.exe_abuse
Resources: Resources:
- Link: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/ - Link: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/
- Link: https://x.com/tonmoy0010/status/1860963760774713805 - Link: https://x.com/tonmoy0010/status/1860963760774713805
Acknowledgement: Acknowledgement:
- Person: Tonmoy Jitu - Person: Tonmoy Jitu
Handle: '@tonmoy0010' Handle: '@tonmoy0010'