Techniques
Sample rules
Windows Event Log Access Tampering Via Registry
- source: sigma
- technicques:
- t1112
- t1547
- t1547.001
Description
Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn’t be able to access the event log channel via the event viewer or via utilities such as “Get-EventLog” or “wevtutil”.
Detection logic
condition: 1 of selection_key_* and selection_details
selection_details:
- Details|contains: D:(D;
- Details|contains|all:
- D:(
- )(D;
selection_key_1:
TargetObject|contains: \SYSTEM\CurrentControlSet\Services\EventLog\
TargetObject|endswith: \CustomSD
selection_key_2:
TargetObject|contains:
- \Policies\Microsoft\Windows\EventLog\
- \Microsoft\Windows\CurrentVersion\WINEVT\Channels
TargetObject|endswith: \ChannelAccess