The creation of EVTX files in uncommon locations indicates potential adversary activity involving log tampering or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate threats that could obscure forensic evidence or maintain long-term access.
Detection Rule
title: EVTX Created In Uncommon Location
id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
status: test
description: |
Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
references:
- https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023-01-02
modified: 2024-03-26
tags:
- attack.defense-evasion
- attack.t1562.002
logsource:
category: file_event
product: windows
definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon configuration. Example: <TargetFilename condition="end with">.evtx<TargetFilename>'
detection:
selection:
TargetFilename|endswith: '.evtx'
filter_main_path:
TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
filter_main_baseimage:
TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrator or backup activity
- An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "<log_name">_<uuid>.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml
imFileEvent
| where TargetFileName endswith ".evtx" and (not((TargetFileName startswith "C:\\Windows\\System32\\winevt\\Logs\\" or (TargetFileName startswith "C:\\ProgramData\\Microsoft\\Windows\\Containers\\BaseImages\\" and TargetFileName endswith "\\Windows\\System32\\winevt\\Logs\\"))))Scenario: A system administrator uses PowerShell to create a temporary log file in a non-standard directory during routine troubleshooting.
Filter/Exclusion: Exclude files created by PowerShell scripts with the Start-Transcript or Out-File commands in known admin directories like C:\Windows\Temp or user-specific temp folders.
Scenario: A scheduled job (e.g., using Task Scheduler) runs a script that generates output files in a custom directory for data processing.
Filter/Exclusion: Exclude files created by scheduled tasks with known job names or paths, such as C:\ScheduledTasks\DailyReport\output.log.
Scenario: A backup tool (e.g., Veeam, Commvault) creates temporary files in a non-standard location during a backup operation.
Filter/Exclusion: Exclude files created by known backup tools using their unique process names or file patterns, such as C:\BackupTemp\*.tmp.
Scenario: A developer uses Visual Studio or Azure DevOps to generate build artifacts in a custom directory during a CI/CD pipeline.
Filter/Exclusion: Exclude files created by build tools or IDEs in directories like C:\BuildArtifacts or paths containing Build or CI in their names.
Scenario: An IT support tool (e.g., SolarWinds, ManageEngine) creates temporary files in a non-standard location for diagnostics or reporting.
Filter/Exclusion: Exclude files created by known IT management tools using their process names or directory paths, such as C:\SupportTools\Temp\*.log.