Merge pull request #5584 from X-Junior/fix-fp-log-access-tampering

fix: Windows Event Log Access Tampering Via Registry
2025-08-06 11:27:03 +03:00
parent 73444cac35 c48c992f70
commit bf077aac7d
1 changed files with 11 additions and 2 deletions
@@ -9,7 +9,7 @@ references:
    - https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
 author: X__Junior
 date: 2025-01-16
-modified: 2025-02-05
+modified: 2025-08-16
 tags:
    - attack.defense-evasion
    - attack.t1547.001
@@ -33,7 +33,16 @@ detection:
        - Details|contains|all:
              - 'D:('
              - ')(D;'
-    condition: 1 of selection_key_* and selection_details
+    filter_main_trustedinstaller:
+        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
+    filter_main_tiworker:
+        Image|startswith: 'C:\Windows\WinSxS\'
+        Image|endswith: '\TiWorker.exe'
+    filter_optional_empty:
+        Image: ''
+    filter_optional_null:
+        Image: null
+    condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Administrative activity, still unlikely
 level: high