Tag

Eventlog

3 briefs RSS

Disable Windows Event and Security Logs Using Built-in Tools

Attackers attempt to disable Windows Event and Security Logs using logman, PowerShell, or auditpol to evade detection and cover their tracks.

Microsoft Defender XDR +2 defense-evasion windows eventlog

3r 3t Jan 4, 2024

high advisory

Windows EventLog Security Descriptor Tampering

2 rules 1 TTP

This analytic detects suspicious modifications to the EventLog security descriptor registry value, specifically the 'CustomSD' value, within the registry path 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD', which can be used for defense evasion by attackers.

Sysmon +3 defense-evasion eventlog registry tampering

2r 1t Jan 3, 2024

high advisory

Windows EventLog ChannelAccess Registry Modification

2 rules 1 TTP

An attacker modifies the Windows EventLog ChannelAccess registry value to evade defenses by blocking security products from accessing event logs.

Sysmon defense-evasion registry-modification eventlog windows

2r 1t Jan 3, 2024