sigmahighHunting

Potential EventLog File Location Tampering

Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting

MITRE ATT&CK

T1562.002

defense-evasion

Detection Query

selection:
  TargetObject|contains: \SYSTEM\CurrentControlSet\Services\EventLog\
  TargetObject|endswith: \File
filter:
  Details|contains: \System32\Winevt\Logs\
condition: selection and not filter

Author

D3F7A5105

Created

2023-01-02

Data Sources

windowsRegistry Set Events

Platforms

windows

References

https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key

Tags

attack.defense-evasionattack.t1562.002

Raw Content

title: Potential EventLog File Location Tampering
id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459
status: test
description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
references:
    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023-01-02
modified: 2023-08-17
tags:
    - attack.defense-evasion
    - attack.t1562.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
        TargetObject|endswith: '\File'
    filter:
        Details|contains: '\System32\Winevt\Logs\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high