LoFP LoFP / none identified, setting up the \"customsd\" value is considered a legacy option and shouldn't be a common activity.

Techniques

Sample rules

Windows New Custom Security Descriptor Set On EventLog Channel

Description

The following analytic detects suspicious modifications to the EventLog security descriptor registry value for defense evasion. It leverages data from the Endpoint.Registry data model, focusing on changes to the “CustomSD” value within the “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog<Channel>\CustomSD” path. This activity is significant as changes to the access permissions of the event log could blind security products and help attackers evade defenses. If confirmed malicious, this could allow attackers to block users and security products from viewing, ingesting and interacting event logs.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Services\\Eventlog\\*" AND Registry.registry_value_name=CustomSD BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_new_custom_security_descriptor_set_on_eventlog_channel_filter`