Detectionhighexperimental

Windows Event Log Access Tampering Via Registry

Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

X__JuniorCreated Thu Jan 16Updated Sat Aug 16ba226dcf-d390-4642-b9af-b534872f1156windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    # O:SYG:SYD:(D;;0x1;;;WD)
    # O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(D;;0x1;;;WD)
    selection_key_1:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
        TargetObject|endswith: '\CustomSD'
    selection_key_2:
        TargetObject|contains:
            - '\Policies\Microsoft\Windows\EventLog\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels'
        TargetObject|endswith: '\ChannelAccess'
    selection_details:
        - Details|contains: 'D:(D;'
        - Details|contains|all:
              - 'D:('
              - ')(D;'
    filter_main_trustedinstaller:
        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
    filter_main_tiworker:
        Image|startswith: 'C:\Windows\WinSxS\'
        Image|endswith: '\TiWorker.exe'
    filter_optional_empty:
        Image: ''
    filter_optional_null:
        Image: null
    condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*