access the Windows event log

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: access the Windows event log
    namespace: host-interaction/log/winevt/access
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: function
      dynamic: call
    mbc:
      - Discovery::File and Directory Discovery::Log File [E1083.m01]
    examples:
      - mimikatz.exe_:0x45228B
  features:
    - or:
      - api: OpenEventLog
      - api: ClearEventLog
      - api: OpenBackupEventLog
      - api: ReportEvent

last edited: 2023-11-24 10:34:28