detection.wiki

Detection rules › Sigma

Windows Event Auditing Disabled

Severity
low
Author
@neu5ron, Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.002 Impair Defenses: Disable Windows Event Logging

Event coverage

ProviderEvent IDTitle
Security-Auditing4719System audit policy was changed.

Stages and Predicates

Stage 1: selection

or:
AuditPolicyChanges|contains: '%%8448'
AuditPolicyChanges|contains: '%%8450'

Stage 2: not 1 of filter_main_guid

SubcategoryGuid: ['{0CCE9210-69AE-11D9-BED3-505054503030}', '{0CCE9211-69AE-11D9-BED3-505054503030}', '{0CCE9212-69AE-11D9-BED3-505054503030}', '{0CCE9215-69AE-11D9-BED3-505054503030}', '{0CCE9217-69AE-11D9-BED3-505054503030}', '{0CCE921B-69AE-11D9-BED3-505054503030}', '{0CCE922B-69AE-11D9-BED3-505054503030}', '{0CCE922F-69AE-11D9-BED3-505054503030}', '{0CCE9230-69AE-11D9-BED3-505054503030}', '{0CCE9235-69AE-11D9-BED3-505054503030}', '{0CCE9236-69AE-11D9-BED3-505054503030}', '{0CCE9237-69AE-11D9-BED3-505054503030}', '{0CCE923F-69AE-11D9-BED3-505054503030}', '{0CCE9240-69AE-11D9-BED3-505054503030}', '{0CCE9242-69AE-11D9-BED3-505054503030}']

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AuditPolicyChangesmatch
  • %%8448 corpus 2 (sigma 2)
  • %%8450 corpus 2 (sigma 2)
SubcategoryGuideq
  • {0CCE9210-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9211-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9212-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9215-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9217-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE921B-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE922B-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE922F-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9230-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9235-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9236-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9237-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE923F-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9240-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9242-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.