Registry Modification to Disable Event Logging - Process

Rule Info

Name
Registry Modification to Disable Event Logging - Process
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to modify Windows Event Logging registry keys, which could indicate an adversary trying to disable system event logging. This is a common defense evasion technique where attackers try to prevent their activities from being logged by disabling the Windows Event Logging service. A successful attack would significantly impair system auditing and security monitoring capabilities.
Reference
https://ptylu.github.io/content/report/report.html?report=25
Date
2025-04-09 00:00:00
Modified
None
Id
ea20cf1b-d402-4942-a50d-4418c1693dea
Tags
attack.defense-evasion attack.t1562.002 car.2022-03-001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022