security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: FP found in testing environment

Browse Source
This commit is contained in:
phantinuss
2022-09-19 11:27:17 +02:00
parent 633037e3cc
commit a36724ffdf
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml
+2 -1
View File
@@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel
author: frack113, Nasreddine Bencherchali
date: 2022/07/04
modified: 2022/09/08
modified: 2022/09/19
status: experimental
references:
- https://twitter.com/WhichbufferArda/status/1543900539280293889
@@ -27,6 +27,7 @@ detection:
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\'
filter_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
Image:
- ''