Potential EventLog File Location Tampering

Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting

Sigma rule (View on GitHub)

 1title: Potential EventLog File Location Tampering
 2id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459
 3status: test
 4description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
 7author: D3F7A5105
 8date: 2023/01/02
 9modified: 2023/08/17
10tags:
11    - attack.defense_evasion
12    - attack.t1562.002
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
19        TargetObject|endswith: '\File'
20    filter:
21        Details|contains: '\System32\Winevt\Logs\'
22    condition: selection and not filter
23falsepositives:
24    - Unknown
25level: high

References

Related rules

to-top