EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Suspicious Use of PsLogList

Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs

MITRE ATT&CK

T1087T1087.001T1087.002
discovery

Detection Query

selection_img:
  - OriginalFileName: psloglist.exe
  - Image|endswith:
      - \psloglist.exe
      - \psloglist64.exe
selection_cli_eventlog:
  CommandLine|contains:
    - " security"
    - " application"
    - " system"
selection_cli_flags:
  CommandLine|contains|windash:
    - " -d"
    - " -x"
    - " -s"
    - " -c"
    - " -g"
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2021-12-18

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.discoveryattack.t1087attack.t1087.001attack.t1087.002
Raw Content
title: Suspicious Use of PsLogList
id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
status: test
description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
references:
    - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
    - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
    - https://twitter.com/EricaZelic/status/1614075109827874817
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2024-03-05
tags:
    - attack.discovery
    - attack.t1087
    - attack.t1087.001
    - attack.t1087.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'psloglist.exe'
        - Image|endswith:
              - '\psloglist.exe'
              - '\psloglist64.exe'
    selection_cli_eventlog:
        CommandLine|contains:
            - ' security'
            - ' application'
            - ' system'
    selection_cli_flags:
        CommandLine|contains|windash:
            - ' -d'
            - ' -x'
            - ' -s'
            - ' -c' # Clear event log after displaying
            - ' -g' # Export an event log as an evt file.
    condition: all of selection_*
falsepositives:
    - Another tool that uses the command line switches of PsLogList
    - Legitimate use of PsLogList by an administrator
level: medium