Windows Event Auditing Disabled

calendar Dec 21, 2023 · attack.defense_evasion attack.t1562.002  ·
Share on: linkedin copy

Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.

Sigma rule (View on GitHub)

 1title: Windows Event Auditing Disabled
 2id: 69aeb277-f15f-4d2d-b32a-55e883609563
 3related:
 4    - id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
 5      type: derived
 6status: test
 7description: |
 8    Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.
 9    This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.
10    Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
11    Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.    
12references:
13    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
14author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)'
15date: 2017/11/19
16modified: 2023/11/15
17tags:
18    - attack.defense_evasion
19    - attack.t1562.002
20logsource:
21    product: windows
22    service: security
23    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
24detection:
25    selection:
26        EventID: 4719
27        AuditPolicyChanges|contains:
28            - '%%8448' # This is "Success removed"
29            - '%%8450' # This is "Failure removed"
30    filter_main_guid:
31        # Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
32        SubcategoryGuid:
33            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
34            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
35            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
36            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
37            - '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
38            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
39            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
40            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
41            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
42            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
43            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
44            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
45            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
46            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
47            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service'
48    condition: selection and not 1 of filter_main_*
49falsepositives:
50    - Unknown
51level: low # Increase this after a testing period in your environment

References

Related rules

to-top