Detection rules › Sigma
Potential EventLog File Location Tampering
Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.002 Impair Defenses: Disable Windows Event Logging |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: selection
TargetObject|endswith: '\File'
TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
Stage 2: not filter
Details|contains: '\System32\Winevt\Logs\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Details | match |
|
TargetObject | ends_with |
|
TargetObject | match |
|