https://detection.fyi/tags/attack.t1685.001/ Recent content in attack.t1685.001 on Detection.FYI Hugo -- gohugo.io Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_auditpol_susp_execution/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_auditpol_susp_execution/ Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage/ Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_change_winevt_channelaccess/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_change_winevt_channelaccess/ Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. https://detection.fyi/sigmahq/sigma/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint/ Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_winevt_logging/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_winevt_logging/ Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_iis_appcmd_http_logging/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_iis_appcmd_http_logging/ Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) https://detection.fyi/sigmahq/sigma/windows/builtin/iis-configuration/win_iis_logging_etw_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/iis-configuration/win_iis_logging_etw_disabled/ Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option. https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_create_evtx_non_common_locations/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_create_evtx_non_common_locations/ Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_fltmc_unload_driver/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_fltmc_unload_driver/ Detect filter driver unloading activity via fltmc.exe https://detection.fyi/sigmahq/sigma/emerging-threats/2024/ta/forest-blizzard/file_event_win_apt_forest_blizzard_activity/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2024/ta/forest-blizzard/file_event_win_apt_forest_blizzard_activity/ Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT. https://detection.fyi/sigmahq/sigma/emerging-threats/2024/ta/forest-blizzard/file_event_win_apt_forest_blizzard_constrained_js/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2024/ta/forest-blizzard/file_event_win_apt_forest_blizzard_constrained_js/ Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_hktl_sharpevtmute/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_hktl_sharpevtmute/ Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_sharpevtmute/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_sharpevtmute/ Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_hktl_sysmonente/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_hktl_sysmonente/ Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon https://detection.fyi/sigmahq/sigma/windows/builtin/iis-configuration/win_iis_logging_http_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/iis-configuration/win_iis_logging_http_disabled/ Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests. https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_disable_event_auditing_critical/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_disable_event_auditing_critical/ Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled. https://detection.fyi/sigmahq/sigma/windows/builtin/iis-configuration/win_iis_module_added/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/iis-configuration/win_iis_module_added/ Detects the addition of a new module to an IIS server. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_autologger_sessions/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_autologger_sessions/ Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging. The AutoLogger event tracing session records events up that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_evtx_file_key_tamper/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_evtx_file_key_tamper/ Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_secedit_execution/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_secedit_execution/ Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy https://detection.fyi/sigmahq/sigma/windows/builtin/iis-configuration/win_iis_module_removed/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/iis-configuration/win_iis_module_removed/ Detects the removal of a previously installed IIS module. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint/ Detects attempts to disable security event logging by adding the `MiniNt` registry key. This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_create_minint_key/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_create_minint_key/ Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. Adversary may want to disable this service to disable logging of security events which could be used to detect their activities. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_eventlog_clear/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_eventlog_clear/ Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses. https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_svchost_susp_access_request/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_svchost_susp_access_request/ Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon/ Detects possible Sysmon filter driver unloaded via fltmc.exe https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_disable_event_auditing/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_disable_event_auditing/ Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_autologger_session_registry_modification/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_autologger_session_registry_modification/ Detects attempts to disable Windows EventLog autologger sessions via registry modification. The AutoLogger event tracing session records events that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.