EVTX Created In Uncommon Location
Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls
Sigma rule (View on GitHub)
1title: EVTX Created In Uncommon Location
2id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
3status: experimental
4description: Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls
5references:
6 - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
7author: D3F7A5105
8date: 2023/01/02
9modified: 2023/07/13
10tags:
11 - attack.defense_evasion
12 - attack.t1562.002
13logsource:
14 category: file_event
15 product: windows
16 definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon configuration. Example: <TargetFilename condition="end with">.evtx<TargetFilename>'
17detection:
18 selection:
19 TargetFilename|endswith: '.evtx'
20 filter_main_path:
21 TargetFilename|contains: ':\Windows\System32\winevt\Logs\'
22 filter_main_baseimage:
23 TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\'
24 TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
25 filter_main_generic_img:
26 Image|endswith:
27 - ':\Windows\explorer.exe'
28 - ':\Windows\system32\dllhost.exe'
29 condition: selection and not 1 of filter_main_*
30falsepositives:
31 - Administrator or backup activity
32level: high
References
Related rules
- Potential Suspicious Activity Using SeCEdit
- HackTool - SharpEvtMute Execution
- Change Winevt Event Access Permission Via Registry
- Disable Windows Event Logging Via Registry
- Potential EventLog File Location Tampering