SigmaHQ/rules/windows/builtin/win_disable_event_logging.yml

title: Disabling Windows Event Auditing
id: 69aeb277-f15f-4d2d-b32a-55e883609563
description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
references:
    - https://bit.ly/WinLogsZero2Hero
tags:
    - attack.defense_evasion
    - attack.t1054          # an old one
    - attack.t1562.002
author: '@neu5ron'
date: 2017/11/19
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
detection:
    selection:
        EventID: 4719
        AuditPolicyChanges: 'removed'
    condition: selection
falsepositives:
    - Unknown
level: high
Fixed win_disable_event_logging by multiline description 2017-11-19 21:49:40 +00:00			`title: Disabling Windows Event Auditing`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 69aeb277-f15f-4d2d-b32a-55e883609563`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
Change "reference" to "references" to match new schema 2018-01-27 23:12:19 +00:00			`references:`
Fixed win_disable_event_logging by multiline description 2017-11-19 21:49:40 +00:00			`- https://bit.ly/WinLogsZero2Hero`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.defense_evasion`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1054 # an old one`
fix typos, update tags 2020-09-13 13:46:45 +00:00			`- attack.t1562.002`
Fixed win_disable_event_logging by multiline description 2017-11-19 21:49:40 +00:00			`author: '@neu5ron'`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/11/19`
Fixed win_disable_event_logging by multiline description 2017-11-19 21:49:40 +00:00			`logsource:`
			`product: windows`
			`service: security`
win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 12:43:44 +00:00			`definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'`
Fixed win_disable_event_logging by multiline description 2017-11-19 21:49:40 +00:00			`detection:`
			`selection:`
			`EventID: 4719`
Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename 2018-03-26 20:53:38 +00:00			`AuditPolicyChanges: 'removed'`
Fixed win_disable_event_logging by multiline description 2017-11-19 21:49:40 +00:00			`condition: selection`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`falsepositives:`
Fixed win_disable_event_logging by multiline description 2017-11-19 21:49:40 +00:00			`- Unknown`
			`level: high`