Techniques
Sample rules
Disable Windows Event Logging Via Registry
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Detects tampering with the “Enabled” registry key in order to disable Windows logging of a Windows event channel
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_iis:
Image|endswith: \TiWorker.exe
Image|startswith: C:\Windows\winsxs\
filter_main_svchost:
Image: C:\Windows\System32\svchost.exe
TargetObject|contains:
- \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter
- \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\
- \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\
- \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\
- \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-CAPI2/Operational\
filter_main_trusted_installer:
Image: C:\Windows\servicing\TrustedInstaller.exe
TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser
filter_main_wevutil:
Image: C:\Windows\system32\wevtutil.exe
filter_optional_empty:
Image: ''
filter_optional_null:
Image: null
selection:
Details: DWORD (0x00000000)
TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\
TargetObject|endswith: \Enabled