Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Windows Event Auditing Disabled

Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@neu5ron, Nasreddine Bencherchali (Nextron Systems)Created Sun Nov 19Updated Wed Nov 1569aeb277-f15f-4d2d-b32a-55e883609563windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 4719
        AuditPolicyChanges|contains:
            - '%%8448' # This is "Success removed"
            - '%%8450' # This is "Failure removed"
    filter_main_guid:
        # Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
        SubcategoryGuid:
            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
            - '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service'
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
docs.google.com
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

Important Windows Event Auditing Disabled

Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
69aeb277-f15f-4d2d-b32a-55e883609563
Status
test
Level
low
Type
Detection
Created
Sun Nov 19
Modified
Wed Nov 15
Author
@neu5ron, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/builtin/security/win_security_disable_event_auditing.yml
Raw Tags
attack.defense-evasionattack.t1562.002
View on GitHub