hayabusa/rules/Sigma/win_disable_event_logging.yml

title: Disabling Windows Event Auditing
author: '@neu5ron'
date: 2017/11/19
description: 'Detects scenarios where system auditing (ie: windows event log auditing)
    is disabled. This may be used in a scenario where an entity would want to bypass
    local logging to evade detection when windows event logging is enabled and reviewed.
    Also, it is recommended to turn off "Local Group Policy Object Processing" via
    GPO, which will make sure that Active Directory GPOs take precedence over local/edited
    computer policies via something such as "gpedit.msc". Please note, that disabling
    "Local Group Policy Object Processing" may cause an issue in scenarios of one
    off specific GPO modifications -- however it is recommended to perform these modifications
    in Active Directory anyways.'
detection:
    SELECTION_1:
        EventID: 4719
    SELECTION_2:
        AuditPolicyChanges: '*%%8448*'
    SELECTION_3:
        AuditPolicyChanges: '*%%8450*'
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: 69aeb277-f15f-4d2d-b32a-55e883609563
level: high
logsource:
    definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration,
        Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
        Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization
        Policy Change'
    product: windows
    service: security
references:
- https://bit.ly/WinLogsZero2Hero
tags:
- attack.defense_evasion
- attack.t1054
- attack.t1562.002
yml_filename: win_disable_event_logging.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin