From 440706e971ee163a02732f3d13ee8a3e9f226ec7 Mon Sep 17 00:00:00 2001
From: vadim <atomm32@gmail.com>
Date: Mon, 2 Jan 2023 13:21:33 +0300
Subject: [PATCH 1/2] Rules for detecting changes in the storage paths of evtx
 logs

---
 .../file_event_win_create_susp_evtx.yml       | 28 +++++++++++++++++++
 .../registry_set_path_to_evtx.yml             | 25 +++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 rules/windows/file/file_event/file_event_win_create_susp_evtx.yml
 create mode 100644 rules/windows/registry/registry_set/registry_set_path_to_evtx.yml

diff --git a/rules/windows/file/file_event/file_event_win_create_susp_evtx.yml b/rules/windows/file/file_event/file_event_win_create_susp_evtx.yml
new file mode 100644
index 000000000..4df599326
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_create_susp_evtx.yml
@@ -0,0 +1,28 @@
+title: Create Suspicious EVTX
+id: 65236EC7-ACE0-4F0C-82FD-737B04FD4DCB
+status: experimental
+description: Detects create new suspicious evtx files.
+references:
+    - not found
+author: D3F7A5105
+date: 2022/12/31
+logsource:
+    category: file_event
+    product: windows
+    definition: Check your sysmon configuration for monitoring Eventid 11. Added <TargetFilename condition="end with">.evtx<TargetFilename>
+detection:
+    selection:
+        TargetFilename|endswith: '.evtx'
+    filter1:
+        TargetFilename|contains: 'Windows\System32\WinEVT\Logs\'
+    filter2:
+        Image: "C:\\Windows\\Explorer.EXE"
+    filter3:
+        Image: "C:\\Windows\\system32\\DllHost.exe"
+    condition: selection and not filter1 and not filter2 and not filter3
+falsepositives:
+    - Admin activity
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_path_to_evtx.yml b/rules/windows/registry/registry_set/registry_set_path_to_evtx.yml
new file mode 100644
index 000000000..c1abdcc47
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_path_to_evtx.yml
@@ -0,0 +1,25 @@
+title: Change Path to Evtx
+id: 0CB8D736-995D-4CE7-A31E-1E8D452A1459
+description: Detects change path windows event log
+status: experimental
+date: 2022/12/31
+author: D3F7A5105
+references:
+    - not found
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
+        TargetObject|endswith: '\File'
+    filter:
+        Details|contains: 'Windows\System32\Winevt\Logs'
+    condition: selection and not filter
+falsepositives:
+    - Admin activity
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
\ No newline at end of file

From 6819d264ccba74f56f81723843b81986bb602c50 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Mon, 2 Jan 2023 15:25:19 +0100
Subject: [PATCH 2/2] fix: update evtx tamper rules

---
 .github/workflows/known-FPs.csv               |  1 +
 ...t_win_create_evtx_non_common_locations.yml | 32 +++++++++++++++++++
 .../file_event_win_create_susp_evtx.yml       | 28 ----------------
 .../registry_set_evtx_file_key_tamper.yml     | 25 +++++++++++++++
 .../registry_set_path_to_evtx.yml             | 25 ---------------
 5 files changed, 58 insertions(+), 53 deletions(-)
 create mode 100644 rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml
 delete mode 100644 rules/windows/file/file_event/file_event_win_create_susp_evtx.yml
 create mode 100644 rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml
 delete mode 100644 rules/windows/registry/registry_set/registry_set_path_to_evtx.yml

diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv
index 7bebef0de..9292a45c7 100644
--- a/.github/workflows/known-FPs.csv
+++ b/.github/workflows/known-FPs.csv
@@ -49,3 +49,4 @@ c8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Insta
 b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;msedge\.exe 
 b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;firefox\.exe 
 b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe
+65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\.exe
diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml
new file mode 100644
index 000000000..23af8d1dd
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml
@@ -0,0 +1,32 @@
+title: EVTX Created In Uncommon Location
+id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
+status: experimental
+description: Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls
+references:
+    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
+author: D3F7A5105
+date: 2023/01/02
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    category: file_event
+    product: windows
+    definition: 'Requirements: The ".evtx" exntesion should be monitored via a Sysmon configuration. Example: <TargetFilename condition="end with">.evtx<TargetFilename>'
+detection:
+    selection:
+        TargetFilename|endswith: '.evtx'
+    filter_path:
+        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
+    filter_baseimage:
+        TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
+        TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
+    filter_img:
+        Image:
+            - 'C:\Windows\explorer.exe'
+            - 'C:\Windows\system32\dllhost.exe'
+    condition: selection and not 1 of filter_*
+falsepositives:
+    - Admin activity
+    - Backup activity
+level: medium
diff --git a/rules/windows/file/file_event/file_event_win_create_susp_evtx.yml b/rules/windows/file/file_event/file_event_win_create_susp_evtx.yml
deleted file mode 100644
index 4df599326..000000000
--- a/rules/windows/file/file_event/file_event_win_create_susp_evtx.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Create Suspicious EVTX
-id: 65236EC7-ACE0-4F0C-82FD-737B04FD4DCB
-status: experimental
-description: Detects create new suspicious evtx files.
-references:
-    - not found
-author: D3F7A5105
-date: 2022/12/31
-logsource:
-    category: file_event
-    product: windows
-    definition: Check your sysmon configuration for monitoring Eventid 11. Added <TargetFilename condition="end with">.evtx<TargetFilename>
-detection:
-    selection:
-        TargetFilename|endswith: '.evtx'
-    filter1:
-        TargetFilename|contains: 'Windows\System32\WinEVT\Logs\'
-    filter2:
-        Image: "C:\\Windows\\Explorer.EXE"
-    filter3:
-        Image: "C:\\Windows\\system32\\DllHost.exe"
-    condition: selection and not filter1 and not filter2 and not filter3
-falsepositives:
-    - Admin activity
-level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1562.002
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml
new file mode 100644
index 000000000..2eb8f76c9
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml
@@ -0,0 +1,25 @@
+title: Potential EventLog File Location Tampering
+id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459
+status: experimental
+description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
+references:
+    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
+author: D3F7A5105
+date: 2023/01/02
+tags:
+    - attack.defense_evasion
+    - attack.t1562.002
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
+        TargetObject|endswith: '\File'
+    filter:
+        Details|contains: '\System32\Winevt\Logs\'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_path_to_evtx.yml b/rules/windows/registry/registry_set/registry_set_path_to_evtx.yml
deleted file mode 100644
index c1abdcc47..000000000
--- a/rules/windows/registry/registry_set/registry_set_path_to_evtx.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: Change Path to Evtx
-id: 0CB8D736-995D-4CE7-A31E-1E8D452A1459
-description: Detects change path windows event log
-status: experimental
-date: 2022/12/31
-author: D3F7A5105
-references:
-    - not found
-logsource:
-    category: registry_set
-    product: windows
-detection:
-    selection:
-        EventType: SetValue
-        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
-        TargetObject|endswith: '\File'
-    filter:
-        Details|contains: 'Windows\System32\Winevt\Logs'
-    condition: selection and not filter
-falsepositives:
-    - Admin activity
-level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1562.002
\ No newline at end of file