← Back to Explore
sigmahighHunting
Disable Windows Event Logging Via Registry
Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
Detection Query
selection:
TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\
TargetObject|endswith: \Enabled
Details: DWORD (0x00000000)
filter_main_wevutil:
Image: C:\Windows\system32\wevtutil.exe
filter_main_iis:
Image|startswith: C:\Windows\winsxs\
Image|endswith: \TiWorker.exe
filter_main_svchost:
Image: C:\Windows\System32\svchost.exe
TargetObject|contains:
- \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter
- \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\
- \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\
- \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\
- \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-CAPI2/Operational\
filter_main_trusted_installer:
Image: C:\Windows\servicing\TrustedInstaller.exe
TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser
filter_optional_empty:
Image: ""
filter_optional_null:
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
Author
frack113, Nasreddine Bencherchali (Nextron Systems)
Created
2022-07-04
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1562.002
Raw Content
title: Disable Windows Event Logging Via Registry
id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
status: test
description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
references:
- https://twitter.com/WhichbufferArda/status/1543900539280293889
- https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-04
modified: 2024-03-25
tags:
- attack.defense-evasion
- attack.t1562.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
TargetObject|endswith: '\Enabled'
Details: 'DWORD (0x00000000)'
filter_main_wevutil:
Image: 'C:\Windows\system32\wevtutil.exe' # FP generated during installation of manifests via wevtutil
filter_main_iis:
Image|startswith: 'C:\Windows\winsxs\'
Image|endswith: '\TiWorker.exe' # Many different TargetObjects
filter_main_svchost:
Image: 'C:\Windows\System32\svchost.exe'
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-CAPI2/Operational\'
filter_main_trusted_installer:
Image: C:\Windows\servicing\TrustedInstaller.exe
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser'
filter_optional_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
Image: ''
filter_optional_null: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
level: high