Skip to content

Hide Navigation Hide TOC

Potential EventLog File Location Tampering (0cb8d736-995d-4ce7-a31e-1e8d452a1459)

Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting

Cluster A Galaxy A Cluster B Galaxy B Level
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Potential EventLog File Location Tampering (0cb8d736-995d-4ce7-a31e-1e8d452a1459) Sigma-Rules 1
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2