Skip to content

Hide Navigation Hide TOC

Suspicious Use of PsLogList (aae1243f-d8af-40d8-ab20-33fc6d0c55bc)

Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Use of PsLogList (aae1243f-d8af-40d8-ab20-33fc6d0c55bc) Sigma-Rules Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 1
Suspicious Use of PsLogList (aae1243f-d8af-40d8-ab20-33fc6d0c55bc) Sigma-Rules Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 1
Suspicious Use of PsLogList (aae1243f-d8af-40d8-ab20-33fc6d0c55bc) Sigma-Rules Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2