Windows EventLog ChannelAccess Registry Modification

This threat brief details the detection of suspicious modifications to the EventLog security descriptor registry value in Windows systems. Attackers can manipulate the “CustomSD” value within the “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog<Channel>\CustomSD” path to alter access permissions, effectively blinding security products that rely on event log data. This technique, often employed for defense evasion, can prevent security tools and administrators from monitoring or responding to malicious activity. LockBit ransomware has been observed using similar techniques. Detecting and preventing these modifications is crucial for maintaining visibility and incident response capabilities.

Attack Chain

1. The attacker gains initial access to the system (e.g., through compromised credentials or exploiting a vulnerability).
2. The attacker elevates privileges to obtain the necessary permissions to modify the registry.
3. The attacker navigates to the specific registry path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog<Channel>\CustomSD.
4. The attacker modifies the “ChannelAccess” registry value (CustomSD) to restrict access to the event logs. This involves manipulating the Security Descriptor Definition Language (SDDL) string.
5. The modified SDDL string restricts access for specific users, groups, or processes, including security products that ingest event logs.
6. Security products are now unable to collect or analyze event logs, hindering detection and incident response.
7. The attacker performs malicious activities, such as lateral movement or data exfiltration, without being detected through standard event log monitoring.
8. The final objective is to achieve persistence and complete the attack (e.g., ransomware deployment, data theft) without triggering alerts.

Impact

Successful modification of the EventLog ChannelAccess registry value can severely impair an organization’s ability to detect and respond to security incidents. This can lead to delayed detection of malware infections, data breaches, and other malicious activities. Specifically, LockBit ransomware has been observed using similar techniques to evade detection. The number of affected systems depends on the scope of the attacker’s access and the effectiveness of their evasion techniques. This blind spot allows attackers to operate with impunity, increasing the potential for significant financial and reputational damage.

Recommendation

• Deploy the Sigma rule Registry Modification of EventLog ChannelAccess to your SIEM to detect suspicious modifications to the “ChannelAccess” registry value (CustomSD) under the “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog” path.
• Enable Sysmon Event ID 13 to ensure registry modifications are captured and available for analysis, enabling the Sigma rule to function correctly.
• Investigate any alerts triggered by the Registry Modification of EventLog ChannelAccess rule, focusing on processes modifying the registry and the associated users.
• Monitor for unexpected or unauthorized changes to SDDL strings within the EventLog registry keys, as these can indicate malicious attempts to evade detection.
• Review and harden registry permissions to prevent unauthorized modifications, reducing the attack surface for this technique.