Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Change Winevt Channel Access Permission Via Registry

Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sat Sep 17Updated Mon Mar 257d9263bd-dc47-4a58-bc92-5474abab390cwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic3 selectors
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
        TargetObject|endswith: '\ChannelAccess'
        # Add more interesting combinations if you found them
        Details|contains:
            - '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL
            - '(A;;0x1;;;SY)' # Local System having GENERIC ALL
            - '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and  GENERIC WRITE
    filter_main_trustedinstaller:
        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
    filter_main_tiworker:
        Image|startswith: 'C:\Windows\WinSxS\'
        Image|endswith: '\TiWorker.exe'
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
app.any.run
2
Resolving title…
learn.microsoft.com
3
Resolving title…
itconnect.uw.edu
MITRE ATT&CK
Rule Metadata
Rule ID
7d9263bd-dc47-4a58-bc92-5474abab390c
Status
test
Level
high
Type
Detection
Created
Sat Sep 17
Modified
Mon Mar 25
Author
François Hubaut
Path
rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml
Raw Tags
attack.defense-evasionattack.t1562.002
View on GitHub