Techniques
Sample rules
Windows New EventLog ChannelAccess Registry Value Set
- source: splunk
- technicques:
- T1562.002
Description
The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the “CustomSD” value within the “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog<Channel>\CustomSD” path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path IN ("*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*", "*\Microsoft\Windows\EventLog\*") AND Registry.registry_value_name=ChannelAccess BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_new_eventlog_channelaccess_registry_value_set_filter`