Merge pull request #3853 from D3F7A5105/master

Rules for detecting changes in the storage paths of evtx logs

.github/workflows/known-FPs.csv

@@ -49,3 +49,4 @@ c8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Insta
 b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;msedge\.exe 
 b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;firefox\.exe 
 b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe
+65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\.exe

rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml

@@ -0,0 +1,32 @@
+title: EVTX Created In Uncommon Location
+id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
+status: experimental
+description: Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls
+references:
+    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
+author: D3F7A5105
+date: 2023/01/02
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    category: file_event
+    product: windows
+    definition: 'Requirements: The ".evtx" exntesion should be monitored via a Sysmon configuration. Example: <TargetFilename condition="end with">.evtx<TargetFilename>'
+detection:
+    selection:
+        TargetFilename|endswith: '.evtx'
+    filter_path:
+        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
+    filter_baseimage:
+        TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
+        TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
+    filter_img:
+        Image:
+            - 'C:\Windows\explorer.exe'
+            - 'C:\Windows\system32\dllhost.exe'
+    condition: selection and not 1 of filter_*
+falsepositives:
+    - Admin activity
+    - Backup activity
+level: medium

rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml

@@ -0,0 +1,25 @@
+title: Potential EventLog File Location Tampering
+id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459
+status: experimental
+description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
+references:
+    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
+author: D3F7A5105
+date: 2023/01/02
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
+        TargetObject|endswith: '\File'
+    filter:
+        Details|contains: '\System32\Winevt\Logs\'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high