The actor gathered information about successful logons to the host using a PowerShell command.
Example:
Get-EventLog security -instanceid 4624
Related
Volt Typhoon activity
Reference
https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection
https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
{{ mitre("T1033") }}
Data source - Command
let c1 = dynamic(["Get-EventLog", "4624"]);
find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1)
- Inspect which account and at what time the activity was performed
- Question the user if the activity was expected and approved
Version 1.0 (date 5/7/2023)