Skip to content

Hide Navigation Hide TOC

Potential EventLog File Location Tampering (0cb8d736-995d-4ce7-a31e-1e8d452a1459)

Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0) Attack Pattern Potential EventLog File Location Tampering (0cb8d736-995d-4ce7-a31e-1e8d452a1459) Sigma-Rules 1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0) Attack Pattern 2