KQL Search

This query is designed to identify any attempts to list or enumerate Windows Security Logs using the command-line tool "wevtutil." It focuses on detecting a specific technique known as "Log Collection" (T1654). Here's a simple breakdown of what the query does:

1. Time Frame: It looks at data from the past 7 days.
2. Source: It examines events related to processes on devices (DeviceProcessEvents).
3. Filter Criteria:
   • It checks for events where a process was created (ActionType contains "ProcessCreated").
   • It specifically looks for instances where the process involved is "wevtutil.exe" and the command line used includes "enum-logs."
4. Output: The query extracts and displays specific details about these events, including:
   • The name of the device where the event occurred (DeviceName).
   • The type of action that was recorded (ActionType).
   • The name of the file involved (FileName).
   • The full command line that was executed (ProcessCommandLine).
   • The domain and name of the account that executed the command (AccountDomain, AccountName).
   • The user principal name and command line of the initiating process (InitiatingProcessAccountUpn, InitiatingProcessCommandLine).

In summary, this query helps security analysts detect and investigate potential unauthorized attempts to access or list Windows Security Logs using the "wevtutil" tool.