Windows EventLog Security Descriptor Tampering

Attackers may target the Windows EventLog service to evade detection by manipulating security descriptors and access permissions. By modifying the ‘CustomSD’ value within the EventLog channel’s registry key, adversaries can restrict access to event logs, preventing security products and administrators from collecting and analyzing crucial security data. This can effectively blind security tools, allowing attackers to operate undetected within the compromised environment. The tampering of the Security Descriptor Definition Language (SDDL) strings is a critical indicator of potential malicious activity that warrants immediate investigation. The detection focuses on changes to the “CustomSD” value within the “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog<Channel>\CustomSD” path.

Attack Chain

1. The attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).
2. The attacker escalates privileges to obtain necessary permissions to modify the registry.
3. The attacker navigates to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>.
4. The attacker identifies the CustomSD value within the registry key.
5. The attacker modifies the CustomSD value, altering the security descriptor for the EventLog channel using tools like reg.exe or PowerShell.
6. The attacker restricts access to the EventLog channel by modifying the SDDL string.
7. Security products and administrators are now unable to collect or analyze event logs from the tampered channel.
8. The attacker performs malicious activities without being logged, achieving persistence and evading detection.

Impact

Successful manipulation of EventLog security descriptors can severely impair an organization’s ability to detect and respond to security incidents. By restricting access to event logs, attackers can effectively blind security tools, allowing them to operate undetected. This can lead to prolonged compromises, data breaches, and other forms of significant damage. This form of tampering directly hinders incident response and forensic investigations, potentially affecting hundreds or thousands of systems depending on the scope of the attack.

Recommendation

• Deploy the Sigma rule Detect EventLog SDDL Tampering to your SIEM to detect modifications to the EventLog security descriptor registry value.
• Enable Sysmon Event ID 13 logging to capture registry modifications as required by the Sigma rule’s log source.
• Investigate any alerts generated by the Detect EventLog SDDL Tampering Sigma rule, focusing on the affected host and user.
• Monitor for unexpected or unauthorized processes modifying the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD.
• Implement the Sysmon TA to ensure proper data ingestion of Event ID 13 (registry modifications).