EXPLORE
Sign In
← Back to Explore
sigmalowHunting

Windows Event Auditing Disabled

Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.

MITRE ATT&CK

T1562.002
defense-evasion

Detection Query

selection:
  EventID: 4719
  AuditPolicyChanges|contains:
    - "%%8448"
    - "%%8450"
filter_main_guid:
  SubcategoryGuid:
    - "{0CCE9210-69AE-11D9-BED3-505054503030}"
    - "{0CCE9211-69AE-11D9-BED3-505054503030}"
    - "{0CCE9212-69AE-11D9-BED3-505054503030}"
    - "{0CCE9215-69AE-11D9-BED3-505054503030}"
    - "{0CCE9217-69AE-11D9-BED3-505054503030}"
    - "{0CCE921B-69AE-11D9-BED3-505054503030}"
    - "{0CCE922B-69AE-11D9-BED3-505054503030}"
    - "{0CCE922F-69AE-11D9-BED3-505054503030}"
    - "{0CCE9230-69AE-11D9-BED3-505054503030}"
    - "{0CCE9235-69AE-11D9-BED3-505054503030}"
    - "{0CCE9236-69AE-11D9-BED3-505054503030}"
    - "{0CCE9237-69AE-11D9-BED3-505054503030}"
    - "{0CCE923F-69AE-11D9-BED3-505054503030}"
    - "{0CCE9240-69AE-11D9-BED3-505054503030}"
    - "{0CCE9242-69AE-11D9-BED3-505054503030}"
condition: selection and not 1 of filter_main_*

Author

@neu5ron, Nasreddine Bencherchali (Nextron Systems)

Created

2017-11-19

Data Sources

windowssecurity

Platforms

windows

References

Tags

attack.defense-evasionattack.t1562.002
Raw Content
title: Windows Event Auditing Disabled
id: 69aeb277-f15f-4d2d-b32a-55e883609563
related:
    - id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
      type: derived
status: test
description: |
    Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.
    This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.
    Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
    Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
references:
    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)'
date: 2017-11-19
modified: 2023-11-15
tags:
    - attack.defense-evasion
    - attack.t1562.002
logsource:
    product: windows
    service: security
    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
    selection:
        EventID: 4719
        AuditPolicyChanges|contains:
            - '%%8448' # This is "Success removed"
            - '%%8450' # This is "Failure removed"
    filter_main_guid:
        # Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
        SubcategoryGuid:
            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
            - '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: low # Increase this after a testing period in your environment