Change Winevt Channel Access Permission Via Registry

calendar Mar 26, 2024 · attack.defense_evasion attack.t1562.002  ·
Share on: linkedin copy

Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.

Sigma rule (View on GitHub)

 1title: Change Winevt Channel Access Permission Via Registry
 2id: 7d9263bd-dc47-4a58-bc92-5474abab390c
 3status: experimental
 4description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
 5references:
 6    - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
 7    - https://learn.microsoft.com/en-us/windows/win32/api/winevt/
 8    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
 9author: frack113
10date: 2022/09/17
11modified: 2024/03/25
12tags:
13    - attack.defense_evasion
14    - attack.t1562.002
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
21        TargetObject|endswith: '\ChannelAccess'
22        # Add more interesting combinations if you found them
23        Details|contains:
24            - '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL
25            - '(A;;0x1;;;SY)' # Local System having GENERIC ALL
26            - '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and  GENERIC WRITE
27    filter_main_trustedinstaller:
28        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
29    filter_main_tiworker:
30        Image|startswith: 'C:\Windows\WinSxS\'
31        Image|endswith: '\TiWorker.exe'
32    condition: selection and not 1 of filter_main_*
33falsepositives:
34    - Unknown
35level: high

References

Related rules

to-top