EVTX Created In Uncommon Location

Severity: medium
Author: D3F7A5105
Source: upstream

Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562.002` Impair Defenses: Disable Windows Event Logging

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `selection`

TargetFilename|endswith: .evtx

Stage 2: `not 1 of filter_main_*`

or:
TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`TargetFilename`	ends_with	`.evtx` corpus 2 (sigma 2) `\Windows\System32\winevt\Logs\`
`TargetFilename`	starts_with	`C:\ProgramData\Microsoft\Windows\Containers\BaseImages\` `C:\Windows\System32\winevt\Logs\` corpus 2 (sigma 2)