From 47ca92f97abd7e8ddc5ca98ff4f44b847d356a25 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Wed, 21 Jul 2021 01:44:35 -0500
Subject: [PATCH] [New Rule] Disable Windows Event and Security Logs (#1181)

(cherry picked from commit c82790f588ab64cec75815612e1b2186b1582930)
---
 ...efense_evasion_disabling_windows_logs.toml | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 rules/windows/defense_evasion_disabling_windows_logs.toml

diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml
new file mode 100644
index 000000000..a24fbe63e
--- /dev/null
+++ b/rules/windows/defense_evasion_disabling_windows_logs.toml
@@ -0,0 +1,50 @@
+[metadata]
+creation_date = "2021/05/06"
+maturity = "production"
+updated_date = "2021/05/06"
+
+
+[rule]
+author = ["Elastic", "Ivan Ninichuck", "Austin Songer"]
+description = """
+Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by 
+attackers in an attempt to evade detection on a system.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Disable Windows Event and Security Logs Using Built-in Tools"
+references = ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman"]
+risk_score = 21
+rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc"
+severity = "low"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type in ("start", "process_started") and
+
+  ((process.name:"logman.exe" or process.pe.original_file_name == "Logman.exe") and
+      process.args : "EventLog-*" and process.args : ("stop", "delete")) or
+
+  ((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or process.pe.original_file_name in
+      ("pwsh.exe", "powershell.exe", "powershell_ise.exe")) and
+	process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled")  or
+	
+  ((process.name:"auditpol.exe" or process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1070"
+name = "Indicator Removal on Host"
+reference = "https://attack.mitre.org/techniques/T1070/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"