Added Sigma Rules

rules/Sigma/win_disable_event_logging.yml

@@ -0,0 +1,40 @@
+title: Disabling Windows Event Auditing
+author: '@neu5ron'
+date: 2017/11/19
+description: 'Detects scenarios where system auditing (ie: windows event log auditing)
+    is disabled. This may be used in a scenario where an entity would want to bypass
+    local logging to evade detection when windows event logging is enabled and reviewed.
+    Also, it is recommended to turn off "Local Group Policy Object Processing" via
+    GPO, which will make sure that Active Directory GPOs take precedence over local/edited
+    computer policies via something such as "gpedit.msc". Please note, that disabling
+    "Local Group Policy Object Processing" may cause an issue in scenarios of one
+    off specific GPO modifications -- however it is recommended to perform these modifications
+    in Active Directory anyways.'
+detection:
+    SELECTION_1:
+        EventID: 4719
+    SELECTION_2:
+        AuditPolicyChanges: '*%%8448*'
+    SELECTION_3:
+        AuditPolicyChanges: '*%%8450*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: 69aeb277-f15f-4d2d-b32a-55e883609563
+level: high
+logsource:
+    definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration,
+        Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
+        Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization
+        Policy Change'
+    product: windows
+    service: security
+references:
+- https://bit.ly/WinLogsZero2Hero
+tags:
+- attack.defense_evasion
+- attack.t1054
+- attack.t1562.002
+yml_filename: win_disable_event_logging.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+