detection.wiki

Detection rules › Sigma

Important Windows Event Auditing Disabled

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.002 Impair Defenses: Disable Windows Event Logging

Event coverage

ProviderEvent IDTitle
Security-Auditing4719System audit policy was changed.

Stages and Predicates

Stage 1: 1 of selection_state_success_and_failure

or:
AuditPolicyChanges|contains: '%%8448'
AuditPolicyChanges|contains: '%%8450'
SubcategoryGuid: ['{0CCE9210-69AE-11D9-BED3-505054503030}', '{0CCE9211-69AE-11D9-BED3-505054503030}', '{0CCE9212-69AE-11D9-BED3-505054503030}', '{0CCE9215-69AE-11D9-BED3-505054503030}', '{0CCE921B-69AE-11D9-BED3-505054503030}', '{0CCE922B-69AE-11D9-BED3-505054503030}', '{0CCE922F-69AE-11D9-BED3-505054503030}', '{0CCE9230-69AE-11D9-BED3-505054503030}', '{0CCE9235-69AE-11D9-BED3-505054503030}', '{0CCE9236-69AE-11D9-BED3-505054503030}', '{0CCE9237-69AE-11D9-BED3-505054503030}', '{0CCE923F-69AE-11D9-BED3-505054503030}', '{0CCE9240-69AE-11D9-BED3-505054503030}', '{0CCE9242-69AE-11D9-BED3-505054503030}']

Stage 2: 1 of selection_state_success_only

AuditPolicyChanges|contains: '%%8448'
SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AuditPolicyChangesmatch
  • %%8448 corpus 2 (sigma 2)
  • %%8450 corpus 2 (sigma 2)
SubcategoryGuideq
  • {0CCE9210-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9211-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9212-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9215-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9217-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE921B-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE922B-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE922F-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9230-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9235-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9236-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9237-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE923F-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9240-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)
  • {0CCE9242-69AE-11D9-BED3-505054503030} corpus 2 (sigma 2)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.