Detects tampering with the “ChannelAccess” registry key in order to change access to Windows event channel.
title: Change Winevt Channel Access Permission Via Registry
id: 7d9263bd-dc47-4a58-bc92-5474abab390c
status: test
description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
references:
- https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
- https://learn.microsoft.com/en-us/windows/win32/api/winevt/
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: frack113
date: 2022-09-17
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
TargetObject|endswith: '\ChannelAccess'
# Add more interesting combinations if you found them
Details|contains:
- '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL
- '(A;;0x1;;;SY)' # Local System having GENERIC ALL
- '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and GENERIC WRITE
filter_main_trustedinstaller:
Image: 'C:\Windows\servicing\TrustedInstaller.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
imRegistry
| where (RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels*" and RegistryKey endswith "\\ChannelAccess" and (RegistryValueData contains "(A;;0x1;;;LA)" or RegistryValueData contains "(A;;0x1;;;SY)" or RegistryValueData contains "(A;;0x5;;;BA)")) and (not((ActingProcessName =~ "C:\\Windows\\servicing\\TrustedInstaller.exe" or (ActingProcessName startswith "C:\\Windows\\WinSxS\\" and ActingProcessName endswith "\\TiWorker.exe"))))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |