Important Windows Event Auditing Disabled

calendar Dec 21, 2023 · attack.defense_evasion attack.t1562.002  ·
Share on: linkedin copy

Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

Sigma rule (View on GitHub)

 1title: Important Windows Event Auditing Disabled
 2id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
 3related:
 4    - id: 69aeb277-f15f-4d2d-b32a-55e883609563
 5      type: derived
 6status: test
 7description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
 8references:
 9    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
10    - https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/06/20
13modified: 2023/11/17
14tags:
15    - attack.defense_evasion
16    - attack.t1562.002
17logsource:
18    product: windows
19    service: security
20    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
21detection:
22    selection_state_success_and_failure:
23        EventID: 4719
24        SubcategoryGuid:
25            # Note: Add or remove GUID as you see fit in your env
26            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
27            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
28            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
29            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
30            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
31            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
32            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
33            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
34            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
35            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
36            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
37            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
38            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
39            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service
40        AuditPolicyChanges|contains:
41            - '%%8448' # This is "Success removed"
42            - '%%8450' # This is "Failure removed"
43    selection_state_success_only:
44        EventID: 4719
45        SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
46        AuditPolicyChanges|contains: '%%8448'
47    condition: 1 of selection_*
48falsepositives:
49    - Unlikely
50level: high

References

Related rules

to-top