Potential EventLog File Location Tampering

Aug 17, 2023 · attack.defense_evasion attack.t1562.002 ·

Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting

Sigma rule (View on GitHub)

 1title: Potential EventLog File Location Tampering
 2id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459
 3status: experimental
 4description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
 7author: D3F7A5105
 8date: 2023/01/02
 9modified: 2023/08/17
10tags:
11    - attack.defense_evasion
12    - attack.t1562.002
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
19        TargetObject|endswith: '\File'
20    filter:
21        Details|contains: '\System32\Winevt\Logs\'
22    condition: selection and not filter
23falsepositives:
24    - Unknown
25level: high

References

Eventlog Key - Win32 apps

The event log contains the following standard logs as well as custom logs:

Read More

Potential EventLog File Location Tampering

Sigma rule (View on GitHub)

References

Eventlog Key - Win32 apps

Related rules