Full Report
One of the more advanced tactics in attacker playbooks is tampering with event log configurations to erase traces of compromise. Detecting such attempts via Windows Registry modifications is complex—often involving detailed Splunk queries that filter by registry keys and permissions. To quickly make sense of these queries, analysts are turning to Uncoder AI’s AI-generated Decision […] The post Exposing Event Log Tampering with Uncoder AI’s AI Decision Tree for Splunk Queries appeared first on SOC Prime.
Analysis Summary
# Tool/Technique: Uncoder AI's AI-generated Decision Tree for Splunk Queries
## Overview
This refers to a feature within the Uncoder AI platform designed to simplify the understanding and analysis of complex Security Information and Event Management (SIEM) queries, specifically Splunk Search Processing Language (SPL) queries, used by security analysts. It visually maps these queries into logical decision trees to quickly determine the intent, scope, and execution paths of the detection logic. The example context focuses on using this tool to analyze queries designed to detect event log tampering via Windows Registry modifications.
## Technical Details
- Type: Tool (Feature within Uncoder AI platform)
- Platform: SIEM/Detection Engineering context (Focus on Splunk queries)
- Capabilities: Summarization, visual mapping of SPL queries into decision trees, rapid analysis of detection logic intent.
- First Seen: Not explicitly stated, but discussed in a May 1, 2025 article.
## MITRE ATT&CK Mapping
The technique being detected via the analyzed Splunk query relates to Event Log Tampering:
- **TA0005 - Defense Evasion**
- **T1070.002 - Indicator Removal: File Deletion** (Related to clearing/manipulating logs for evasion)
- **T1562 - Impair Defenses** (Broader category covering disabling logging mechanisms)
- **T1562.002 - Impair Defenses: Disable orលter System Firewall** (While not firewall, modifying log access falls under impairment)
- **T1562.005 - Impair Defenses: Service Blocking** (If log services are stopped/altered)
*Note: The primary focus is analyzing the detection query for log tampering, which correlates with Defense Evasion tactics aimed at removing forensic artifacts.*
## Functionality
### Core Capabilities
- **Query Visualization:** Transforms complex SPL queries into navigable, logical decision trees.
- **Intent Assessment:** Helps security teams quickly understand *why* a query was written (e.g., detecting an attack behavior).
- **Scope Identification:** Clarifies the exact data sources and filters being examined.
### Advanced Features
- **Detection Engineering Aid:** Serves as an IDE enhancement for quickly adapting or building detection rules.
- **Contextual Analysis:** Specifically used here to analyze detections hunting for **Event Log Tampering** actions resulting from Windows Registry modifications.
## Indicators of Compromise
The summary analyzes the *detection logic* for IoCs, which target specific modifications to Windows Event Log configuration:
- File Hashes: N/A (Focus on behavioral/configuration monitoring)
- File Names: N/A
- Registry Keys:
- `SYSTEM\CurrentControlSet\Services\EventLog`
- `Policies\Microsoft\Windows\EventLog`
- `Microsoft\Windows\CurrentVersion\WINEVT\Channels`
- Network Indicators: N/A
- Behavioral Indicators:
- Modifications to registry permissions/Security Descriptor Definition Language (SDDL) entries (`CustomSD` changes).
- Presence of SDDL patterns like `D:(...)` in event details, indicating direct permission modifications on channels/logs.
## Associated Threat Actors
This tool focuses on detection engineering, not specific malware. However, the *behavior* being detected (Event Log Tampering via Registry modification) is common among various advanced threat actors seeking to cover their tracks.
## Detection Methods
Detection is achieved by monitoring the Windows Registry for the modifications noted above, which are then analyzed for relevance:
- Signature-based detection: Queries looking for specific registry value writes at the paths listed.
- Behavioral detection: Monitoring for access control list (ACL) or permission changes often involving SDDL modification commands.
- YARA rules: N/A (Focus is on SIEM event correlation rather than file-based analysis).
## Mitigation Strategies
Mitigation focuses on preventing the successful tampering of security logs:
- Prevention measures: Implementing strict access controls and **least privilege mandates** on security-relevant registry keys (especially those under `SYSTEM\CurrentControlSet` and EventLog policy paths).
- Hardening recommendations: Utilizing tools like Windows Defender Application Control (WDAC) or AppLocker to restrict unauthorized process access to critical system settings; ensuring robust logging of Registry protection mechanisms (e.g., Registry auditing).
## Related Tools/Techniques
- SOC Prime Threat Detection Marketplace (for related detection content)
- Uncoder AI (The primary platform)
- Splunk (The SIEM environment being queried)
- Detection Engineering (The domain of activity)