This detection rule identifies potential tampering with the 'ChannelAccess' registry key, which is crucial for controlling access to Windows event channels. Malicious actors may attempt to change these permissions as part of a defense evasion tactic, making it harder for security solutions to detect their presence on the system. The rule specifically looks for modifications in the registry path '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\' where the target object ends with '\ChannelAccess'. Furthermore, it checks whether the details indicate access alterations allowing Local Administrators, System, or Built-in Administrators writable permissions. The rule aims to catch processes that attempt these changes outside the normal context of TrustedInstaller.exe or TiWorker.exe, which are known Windows processes with legitimate access to make such modifications. Due to the importance of logs in detailing system events, unauthorized changes could imply that event logging might be altered to hide malicious activity, thus making this monitoring vital.