← Back to SOC feed Coverage →

Windows Event Log Access Tampering Via Registry

sigma HIGH SigmaHQ
T1547.001T1112
imRegistry
evasion
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-26T11:00:01Z · Confidence: low

Hunt Hypothesis

Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict acc

Detection Rule

Sigma (Original)

title: Windows Event Log Access Tampering Via Registry
id: ba226dcf-d390-4642-b9af-b534872f1156
status: experimental
description: |
    Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell
    - https://www.youtube.com/watch?v=uSYvHUVU8xY
    - https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
author: X__Junior
date: 2025-01-16
modified: 2025-08-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-impairment
    - attack.t1547.001
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    # O:SYG:SYD:(D;;0x1;;;WD)
    # O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(D;;0x1;;;WD)
    selection_key_1:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
        TargetObject|endswith: '\CustomSD'
    selection_key_2:
        TargetObject|contains:
            - '\Policies\Microsoft\Windows\EventLog\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels'
        TargetObject|endswith: '\ChannelAccess'
    selection_details:
        - Details|contains: 'D:(D;'
        - Details|contains|all:
              - 'D:('
              - ')(D;'
    filter_main_trustedinstaller:
        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
    filter_main_tiworker:
        Image|startswith: 'C:\Windows\WinSxS\'
        Image|endswith: '\TiWorker.exe'
    filter_optional_empty:
        Image: ''
    filter_optional_null:
        Image: null
    condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrative activity, still unlikely
level: high

KQL (Azure Sentinel)

imRegistry
| where ((RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Services\\EventLog*" and RegistryKey endswith "\\CustomSD") or ((RegistryKey endswith "\\Policies\\Microsoft\\Windows\\EventLog*" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels") and RegistryKey endswith "\\ChannelAccess")) and (RegistryValueData contains "D:(D;" or (RegistryValueData contains "D:(" and RegistryValueData contains ")(D;")) and (not((ActingProcessName =~ "C:\\Windows\\servicing\\TrustedInstaller.exe" or (ActingProcessName startswith "C:\\Windows\\WinSxS\\" and ActingProcessName endswith "\\TiWorker.exe")))) and (not((ActingProcessName =~ "" or isnull(ActingProcessName))))

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml