Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Disable Windows Event Logging Via Registry

Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Mon Jul 04Updated Mon Mar 252f78da12-f7c7-430b-8b19-a28f269b77a3windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic7 selectors
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
        TargetObject|endswith: '\Enabled'
        Details: 'DWORD (0x00000000)'
    filter_main_wevutil:
        Image: 'C:\Windows\system32\wevtutil.exe' # FP generated during installation of manifests via wevtutil
    filter_main_iis:
        Image|startswith: 'C:\Windows\winsxs\'
        Image|endswith: '\TiWorker.exe'  # Many different TargetObjects
    filter_main_svchost:
        Image: 'C:\Windows\System32\svchost.exe'
        TargetObject|contains:
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-CAPI2/Operational\'
    filter_main_trusted_installer:
        Image: C:\Windows\servicing\TrustedInstaller.exe
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser'
    filter_optional_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
        Image: ''
    filter_optional_null: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting

References
1
Resolving title…
twitter.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
2f78da12-f7c7-430b-8b19-a28f269b77a3
Status
test
Level
high
Type
Detection
Created
Mon Jul 04
Modified
Mon Mar 25
Author
François Hubaut, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml
Raw Tags
attack.defense-evasionattack.t1562.002
View on GitHub