security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da07164ce0d651bf72691bac1cfcafbf20249de
blue-team-tools/rules/windows/builtin/security/win_security_disable_event_logging.yml
T
Nasreddine Bencherchali 42b99b165d feat: new rules and fixes (#3759) 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2022-12-06 12:13:20 +01:00

31 lines
1.6 KiB
YAML
Raw Blame History

title: Disabling Windows Event Auditing
id: 69aeb277-f15f-4d2d-b32a-55e883609563
status: test
description: |
Detects scenarios where system auditing (ie: windows event log auditing) is disabled.
This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
references:
- https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
author: '@neu5ron'
date: 2017/11/19
modified: 2021/11/27
tags:
- attack.defense_evasion
- attack.t1562.002
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
detection:
selection:
EventID: 4719
AuditPolicyChanges|contains:
- '%%8448' # This is "Success removed"
- '%%8450' # This is "Failure removed"
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink