Merge pull request #3204 from phantinuss/master

fix: FP with IIS installation

rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml

@@ -3,6 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel
 author: frack113, Nasreddine Bencherchali
 date: 2022/07/04
+modified: 2022/07/07
 status: experimental
 references:
     - https://twitter.com/WhichbufferArda/status/1543900539280293889
@@ -16,9 +17,13 @@ detection:
         TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\
         TargetObject|endswith: \Enabled
         Details: DWORD (0x00000000)
-    filter:
+    filter_wevutil:
         Image|endswith: '\Windows\system32\wevtutil.exe' #FP generated during installation of manifests via wevtutil
-    condition: selection and not filter
+    filter_iis:
+        Image|startswith: 'C:\Windows\winsxs\'
+        Image|endswith: '\TiWorker.exe'
+        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-IIS-Logging'
+    condition: selection and not 1 of filter*
 falsepositives:
     - Legitimate administrators disabling specific event log for troubleshooting
 level: high