Windows Event Log Access Tampering Via Registry

Rule Info

Name
Windows Event Log Access Tampering Via Registry
Author
X__Junior
Description
Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
Reference
https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell
Date
2025-01-16 00:00:00
Modified
2025-02-05 00:00:00
Id
ba226dcf-d390-4642-b9af-b534872f1156
Tags
attack.defense-evasion attack.t1547.001 attack.t1112
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=ba226dcf-d390-4642-b9af-b534872f1156

Rule History

Author
Title
Date
Commit
david-syk
Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags
2025-05-20
a869abc3c
Koifman
Merge PR #5182 from @Koifman - Update `Windows Event Log Access Tampering Via Registry`
2025-02-17
de0c3f3a8
Mohamed Ashraf
Merge PR #5162 from @X-Junior - Add `Windows Event Log Access Tampering Via Registry`
2025-01-30
3724456d6
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022