Rule : Windows Event Log Access Tampering Via Registry modification
Event Log Tampering Registry
Query
DeviceRegistryEvents
| where RegistryKey has_any ("EventLog", "Channels") and ActionType == "RegistryValueSet"
| where RegistryKey endswith "CustomSD" or RegistryKey endswith "ChannelAccess"About this query
Explanation
This query is designed to detect suspicious modifications to the Windows registry that could indicate tampering with the Windows Event Log system. Specifically, it looks for changes to registry keys related to the Event Log service that end with "CustomSD" or "ChannelAccess". These keys are important because they control security settings for event logging. By monitoring these changes, the query helps identify potential attempts by attackers to disable or manipulate event logging, which could be used to hide malicious activities or maintain unauthorized access. The query focuses on events where registry values are set, suggesting an active modification attempt.
Details

Ali Hussein
Released: February 25, 2025
Tables
Keywords
Operators