detection.wiki

Detection rules › Sigma

Important Windows Event Auditing Disabled

Status
test
Severity
high
Log source
product windows, service security
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

MITRE ATT&CK coverage

TacticTechniques
Defense ImpairmentT1685.001 Disable or Modify Tools: Disable or Modify Windows Event Log

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 4719System audit policy was changed.

Rule body yaml

title: Important Windows Event Auditing Disabled
id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
related:
    - id: 69aeb277-f15f-4d2d-b32a-55e883609563
      type: derived
status: test
description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
references:
    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
    - https://github.com/SigmaHQ/sigma/blob/ad1bfd3d28aa0ccc9656240f845022518ef65a2e/documentation/logsource-guides/windows/service/security.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-20
modified: 2023-11-17
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    product: windows
    service: security
    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
    selection_state_success_and_failure:
        EventID: 4719
        SubcategoryGuid:
            # Note: Add or remove GUID as you see fit in your env
            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service
        AuditPolicyChanges|contains:
            - '%%8448' # This is "Success removed"
            - '%%8450' # This is "Failure removed"
    selection_state_success_only:
        EventID: 4719
        SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
        AuditPolicyChanges|contains: '%%8448'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

Stages and Predicates

Stage 0: condition

1 of selection_*

Stage 1: selection_state_success_and_failure

selection_state_success_and_failure:
    EventID: 4719
    SubcategoryGuid:
        - '{0CCE9210-69AE-11D9-BED3-505054503030}'
        - '{0CCE9211-69AE-11D9-BED3-505054503030}'
        - '{0CCE9212-69AE-11D9-BED3-505054503030}'
        - '{0CCE9215-69AE-11D9-BED3-505054503030}'
        - '{0CCE921B-69AE-11D9-BED3-505054503030}'
        - '{0CCE922B-69AE-11D9-BED3-505054503030}'
        - '{0CCE922F-69AE-11D9-BED3-505054503030}'
        - '{0CCE9230-69AE-11D9-BED3-505054503030}'
        - '{0CCE9235-69AE-11D9-BED3-505054503030}'
        - '{0CCE9236-69AE-11D9-BED3-505054503030}'
        - '{0CCE9237-69AE-11D9-BED3-505054503030}'
        - '{0CCE923F-69AE-11D9-BED3-505054503030}'
        - '{0CCE9240-69AE-11D9-BED3-505054503030}'
        - '{0CCE9242-69AE-11D9-BED3-505054503030}'
    AuditPolicyChanges|contains:
        - '%%8448'
        - '%%8450'

Stage 2: selection_state_success_only

selection_state_success_only:
    EventID: 4719
    SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}'
    AuditPolicyChanges|contains: '%%8448'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AuditPolicyChangesmatch
  • %%8448 corpus 3 (sigma 3)
  • %%8450 corpus 3 (sigma 3)
SubcategoryGuideq
  • {0CCE9210-69AE-11D9-BED3-505054503030}
  • {0CCE9211-69AE-11D9-BED3-505054503030}
  • {0CCE9212-69AE-11D9-BED3-505054503030}
  • {0CCE9215-69AE-11D9-BED3-505054503030}
  • {0CCE9217-69AE-11D9-BED3-505054503030}
  • {0CCE921B-69AE-11D9-BED3-505054503030}
  • {0CCE922B-69AE-11D9-BED3-505054503030}
  • {0CCE922F-69AE-11D9-BED3-505054503030}
  • {0CCE9230-69AE-11D9-BED3-505054503030}
  • {0CCE9235-69AE-11D9-BED3-505054503030}
  • {0CCE9236-69AE-11D9-BED3-505054503030}
  • {0CCE9237-69AE-11D9-BED3-505054503030}
  • {0CCE923F-69AE-11D9-BED3-505054503030}
  • {0CCE9240-69AE-11D9-BED3-505054503030}
  • {0CCE9242-69AE-11D9-BED3-505054503030}