EVTX Created In Uncommon Location

 1title: EVTX Created In Uncommon Location
 2id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
 3status: experimental
 4description: |
 5    Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
 6    This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
 7    Note that backup software and legitimate administrator might perform similar actions during troubleshooting.    
 8references:
 9    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
10author: D3F7A5105
11date: 2023/01/02
12modified: 2024/03/26
13tags:
14    - attack.defense_evasion
15    - attack.t1562.002
16logsource:
17    category: file_event
18    product: windows
19    definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon configuration. Example: <TargetFilename condition="end with">.evtx<TargetFilename>'
20detection:
21    selection:
22        TargetFilename|endswith: '.evtx'
23    filter_main_path:
24        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
25    filter_main_baseimage:
26        TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
27        TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
28    condition: selection and not 1 of filter_main_*
29falsepositives:
30    - Administrator or backup activity
31    - An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "<log_name">_<uuid>.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
32level: medium