Query Details

Rule : Windows Event Log Access Tampering Via Registry modification

Event Log Tampering Registry

Query

DeviceRegistryEvents
| where RegistryKey has_any ("EventLog", "Channels") and ActionType == "RegistryValueSet"
| where RegistryKey endswith "CustomSD" or RegistryKey endswith "ChannelAccess"

About this query

Explanation

This query is designed to detect suspicious modifications to the Windows registry that could indicate tampering with the Windows Event Log system. Specifically, it looks for changes to registry keys related to the Event Log service that end with "CustomSD" or "ChannelAccess". These keys are important because they control security settings for event logging. By monitoring these changes, the query helps identify potential attempts by attackers to disable or manipulate event logging, which could be used to hide malicious activities or maintain unauthorized access. The query focuses on events where registry values are set, suggesting an active modification attempt.

Details

Ali Hussein profile picture

Ali Hussein

Released: February 25, 2025

Tables

DeviceRegistryEvents

Keywords

DeviceRegistryEventsEventLogChannelsKeyActionTypeCustomSDChannelAccess

Operators

has_any==endswithorand

Actions

GitHub