From a036fcc2dde2c399c0d87c5401dc374b64c8a855 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Mon, 4 Jul 2022 16:28:41 +0200
Subject: [PATCH] Add registry_set_disable_winevt_logging

---
 .../registry_set_disable_winevt_logging.yml   | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml

diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml
new file mode 100644
index 000000000..f0e6405c4
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml
@@ -0,0 +1,24 @@
+title: Disable Winevt Event Logging
+id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
+description: Disable Winevt Event logging by registry
+author: frack113
+date: 2022/07/04
+status: experimental
+references:
+    - https://twitter.com/WhichbufferArda/status/1543900539280293889
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\
+        TargetObject|endswith: \Enabled 
+        Details: DWORD (0x00000000)
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+  - attack.persistence
+  - attack.t1547.010