
Summary
This detection rule focuses on identifying the usage of the 'Write-EventLog' cmdlet within PowerShell scripts that includes the '-RawData' parameter. The cmdlet can be exploited by attackers to write arbitrary data, including malicious payloads, to the Windows Event Log. Once the data is recorded in the Event Log, an attacker can retrieve it for later use, such as ransom or persistence mechanisms. The detection rule necessitates that Script Block Logging is enabled in order to capture these events accurately. Therefore, any PowerShell execution that meets these conditions triggers an alert for further investigation. This rule plays a crucial role in monitoring for potential command and control traffic or malicious activity occurring under the guise of legitimate event logging. It's essential for incident responders to prioritize validation of any alerts generated by this rule, as there can be legitimate uses of the 'Write-EventLog' cmdlet, which may lead to false positives.
Categories
- Endpoint
- Windows
Data Sources
- Script
- Application Log
Created: 2022-08-16