Windows Event Log Access Tampering Via Registry

Severity: high
Author: X__Junior
Source: upstream

Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1112` Modify Registry, `T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation	`T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion	`T1112` Modify Registry

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `1 of selection_key_1`

TargetObject|endswith: '\CustomSD'
TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'

Stage 2: `1 of selection_key_2`

or:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels'
TargetObject|contains: '\Policies\Microsoft\Windows\EventLog\'
TargetObject|endswith: '\ChannelAccess'

Stage 3: `selection_details`

or:
Details|contains: ')(D;'
Details|contains: 'D:('
Details|contains: 'D:(D;'

Stage 4: `not 1 of filter_main_*`

or:
Image|endswith: '\TiWorker.exe'
Image|startswith: 'C:\Windows\WinSxS\'
Image: 'C:\Windows\servicing\TrustedInstaller.exe'

Stage 5: `not 1 of filter_optional_*`

or:
Image: ''
Image: null

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	match	`)(D;` `D:(` `D:(D;`
`Image`	ends_with	`\TiWorker.exe` corpus 7 (sigma 7)
`Image`	eq	`C:\Windows\servicing\TrustedInstaller.exe` corpus 3 (sigma 3)
`Image`	starts_with	`C:\Windows\WinSxS\` corpus 13 (sigma 13)
`TargetObject`	ends_with	`\ChannelAccess` corpus 2 (sigma 2) `\CustomSD`
`TargetObject`	match	`\Microsoft\Windows\CurrentVersion\WINEVT\Channels` `\Policies\Microsoft\Windows\EventLog\` `\SYSTEM\CurrentControlSet\Services\EventLog\` corpus 2 (sigma 2)

Windows Event Log Access Tampering Via Registry

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: 1 of selection_key_1

Stage 2: 1 of selection_key_2

Stage 3: selection_details