valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
dea019f89d
SigmaHQ/rules/windows/builtin/win_disable_event_logging.yml
Thomas Patzke a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00

24 lines
1.3 KiB
YAML
Raw Blame History

title: Disabling Windows Event Auditing
description: >
Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario
where an entity would want to bypass local logging to evade detection when windows event logging is enabled and
reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure
that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off
specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
references:
- https://bit.ly/WinLogsZero2Hero
author: '@neu5ron'
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
detection:
selection:
EventID: 4719
AuditPolicyChanges: 'removed'
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink