Potential EventLog File Location Tampering
Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
Sigma rule (View on GitHub)
1title: Potential EventLog File Location Tampering
2id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459
3status: test
4description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
5references:
6 - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
7author: D3F7A5105
8date: 2023-01-02
9modified: 2023-08-17
10tags:
11 - attack.defense-evasion
12 - attack.t1562.002
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
19 TargetObject|endswith: '\File'
20 filter:
21 Details|contains: '\System32\Winevt\Logs\'
22 condition: selection and not filter
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Audit Policy Tampering Via Auditpol
- Audit Policy Tampering Via NT Resource Kit Auditpol
- Change Winevt Channel Access Permission Via Registry
- Disable Windows Event Logging Via Registry
- Disable Windows IIS HTTP Logging