From 2ec5919b9e4e2f5ce0dca394b6fedf3950bcb653 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 19 Nov 2017 22:49:40 +0100 Subject: [PATCH] Fixed win_disable_event_logging by multiline description --- .../windows/builtin/win_disable_event_logging | 17 -------------- .../builtin/win_disable_event_logging.yml | 23 +++++++++++++++++++ 2 files changed, 23 insertions(+), 17 deletions(-) delete mode 100644 rules/windows/builtin/win_disable_event_logging create mode 100644 rules/windows/builtin/win_disable_event_logging.yml diff --git a/rules/windows/builtin/win_disable_event_logging b/rules/windows/builtin/win_disable_event_logging deleted file mode 100644 index 20497e1f7..000000000 --- a/rules/windows/builtin/win_disable_event_logging +++ /dev/null @@ -1,17 +0,0 @@ -title: Disabling Windows Event Auditing -description: Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. -reference: - - https://bit.ly/WinLogsZero2Hero -author: '@neu5ron' -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change' -detection: - selection: - EventID: 4719 - Message: 'removed' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml new file mode 100644 index 000000000..955ff0fa1 --- /dev/null +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -0,0 +1,23 @@ +title: Disabling Windows Event Auditing +description: > + Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario + where an entity would want to bypass local logging to evade detection when windows event logging is enabled and + reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure + that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". + Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off + specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. +reference: + - https://bit.ly/WinLogsZero2Hero +author: '@neu5ron' +logsource: + product: windows + service: security + description: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change' +detection: + selection: + EventID: 4719 + Message: 'removed' + condition: selection +falsepositives: + - Unknown +level: high