title: Audit Policy Tampering Via Auditpol
id: 0a13e132-651d-11eb-ae93-0242ac130002
related:
    - id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol
      type: similar
status: test
description: |
  Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
  This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021-02-02
modified: 2023-02-22
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\auditpol.exe'
        - OriginalFileName: 'AUDITPOL.EXE'
    selection_cli:
        CommandLine|contains:
            - 'disable' # disables a specific audit policy
            - 'clear'   # delete or clears audit policy
            - 'remove'  # removes an audit policy
            - 'restore' # restores an audit policy
    condition: all of selection_*
falsepositives:
    - Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored
level: high

title: Audit Policy Tampering Via NT Resource Kit Auditpol
id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
related:
    - id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version
      type: similar
status: test
description: |
    Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
    This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-21
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '/logon:none'
            - '/system:none'
            - '/sam:none'
            - '/privilege:none'
            - '/object:none'
            - '/process:none'
            - '/policy:none'
    condition: selection
falsepositives:
    - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure
level: high

title: Change Winevt Channel Access Permission Via Registry
id: 7d9263bd-dc47-4a58-bc92-5474abab390c
status: test
description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
references:
    - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
    - https://learn.microsoft.com/en-us/windows/win32/api/winevt/
    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: frack113
date: 2022-09-17
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
        TargetObject|endswith: '\ChannelAccess'
        # Add more interesting combinations if you found them
        Details|contains:
            - '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL
            - '(A;;0x1;;;SY)' # Local System having GENERIC ALL
            - '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and  GENERIC WRITE
    filter_main_trustedinstaller:
        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
    filter_main_tiworker:
        Image|startswith: 'C:\Windows\WinSxS\'
        Image|endswith: '\TiWorker.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Disable Security Events Logging Adding Reg Key MiniNt
id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
status: test
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
references:
    - https://twitter.com/0gtweet/status/1182516740955226112
    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1112
    - car.2022-03-001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
    # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
        - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
          EventType: 'CreateKey'    # we don't want deletekey
    # key rename
        - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Disable Windows Event Logging Via Registry
id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
status: test
description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
references:
    - https://twitter.com/WhichbufferArda/status/1543900539280293889
    - https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-04
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
        TargetObject|endswith: '\Enabled'
        Details: 'DWORD (0x00000000)'
    filter_main_wevutil:
        Image: 'C:\Windows\system32\wevtutil.exe' # FP generated during installation of manifests via wevtutil
    filter_main_iis:
        Image|startswith: 'C:\Windows\winsxs\'
        Image|endswith: '\TiWorker.exe'  # Many different TargetObjects
    filter_main_svchost:
        Image: 'C:\Windows\System32\svchost.exe'
        TargetObject|contains:
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-CAPI2/Operational\'
    filter_main_trusted_installer:
        Image: C:\Windows\servicing\TrustedInstaller.exe
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser'
    filter_optional_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
        Image: ''
    filter_optional_null: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
level: high

title: Disable Windows IIS HTTP Logging
id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
status: test
description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
author: frack113
date: 2022-01-09
modified: 2023-01-22
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\appcmd.exe'
        - OriginalFileName: 'appcmd.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'set'
            - 'config'
            - 'section:httplogging'
            - 'dontLog:true'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: HTTP Logging Disabled On IIS Server
id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
status: test
description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
author: frack113
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration: '/system.webServer/httpLogging/@dontLog'
        NewValue: 'true'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - SharpEvtMute DLL Load
id: 49329257-089d-46e6-af37-4afce4290685
related:
    - id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c # Process Creation
      type: similar
status: test
description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
references:
    - https://github.com/bats3c/EvtMute
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2024-11-23
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B'
    condition: selection
falsepositives:
    - Other DLLs with the same Imphash
level: high

title: HackTool - SharpEvtMute Execution
id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c
related:
    - id: 49329257-089d-46e6-af37-4afce4290685 # DLL load
      type: similar
status: test
description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
references:
    - https://github.com/bats3c/EvtMute
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-02-14
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: '\SharpEvtMute.exe'
        - Description: 'SharpEvtMute'
        - CommandLine|contains:
              - '--Filter "rule '
              - '--Encoded --Filter \"'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - SysmonEnte Execution
id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
status: test
description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
references:
    - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
    - https://github.com/codewhitesec/SysmonEnte/
    - https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-11-28
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_access
    product: windows
detection:
    selection_sysmon:
        TargetImage|contains:
            - ':\Windows\Sysmon.exe'
            - ':\Windows\Sysmon64.exe'
        GrantedAccess: '0x1400'
    selection_calltrace:
        CallTrace: 'Ente'
    filter_main_generic:
        SourceImage|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
    filter_main_msdefender:
        SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
        SourceImage|endswith: '\MsMpEng.exe'
    condition: ( selection_sysmon and not 1 of filter_main_* ) or selection_calltrace
falsepositives:
    - Unknown
level: high

title: Important Windows Event Auditing Disabled
id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
related:
    - id: 69aeb277-f15f-4d2d-b32a-55e883609563
      type: derived
status: test
description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
references:
    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
    - https://github.com/SigmaHQ/sigma/blob/ad1bfd3d28aa0ccc9656240f845022518ef65a2e/documentation/logsource-guides/windows/service/security.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-20
modified: 2023-11-17
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    product: windows
    service: security
    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
    selection_state_success_and_failure:
        EventID: 4719
        SubcategoryGuid:
            # Note: Add or remove GUID as you see fit in your env
            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service
        AuditPolicyChanges|contains:
            - '%%8448' # This is "Success removed"
            - '%%8450' # This is "Failure removed"
    selection_state_success_only:
        EventID: 4719
        SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
        AuditPolicyChanges|contains: '%%8448'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: Potential AutoLogger Sessions Tampering
id: f37b4bce-49d0-4087-9f5b-58bffda77316
related:
    - id: d7b81144-b866-48a4-9bcc-275dc69d870e
      type: similar
status: test
description: |
    Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.
    The AutoLogger event tracing session records events up that occur early in the operating system boot process.
    Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.
    Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
    - https://twitter.com/MichalKoczwara/status/1553634816016498688
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
    - https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2025-12-26
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_main:
        TargetObject|contains: '\Control\WMI\Autologger\'
    selection_values:
        TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need
            - '\EventLog-'
            - '\Defender'
        TargetObject|endswith:
            - '\Enabled'
            - '\Start'
        Details: DWORD (0x00000000)
    filter_main_wevtutil:
        Image: 'C:\Windows\system32\wevtutil.exe'
    filter_main_defender:
        Image|startswith:
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\Program Files (x86)\Windows Defender\'
        Image|endswith: '\MsMpEng.exe'
        TargetObject|contains:
            - '\DefenderApiLogger\'
            - '\DefenderAuditLogger\'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions/info.yml
simulation:
    - type: atomic-red-team
      name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
      technique: T1562.001
      atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
    - type: atomic-red-team
      name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
      technique: T1562.001
      atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
    - type: atomic-red-team
      name: Disable EventLog-Application ETW Provider Via Registry - Cmd
      technique: T1562.001
      atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
    - type: atomic-red-team
      name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
      technique: T1562.001
      atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0

title: Potential EventLog File Location Tampering
id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459
status: test
description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
references:
    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023-01-02
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
        TargetObject|endswith: '\File'
    filter:
        Details|contains: '\System32\Winevt\Logs\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Security Event Logging Disabled via MiniNt Registry Key - Process
id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462
related:
    - id: 8839e550-52d7-4958-9f2f-e13c1e736838 # Disable Security Events Logging Adding Reg Key MiniNt - Registry Set
      type: similar
status: experimental
description: |
    Detects attempts to disable security event logging by adding the `MiniNt` registry key.
    This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.
    Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
references:
    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1112
    - car.2022-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg_img:
        # Example: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_cmd:
        CommandLine|contains|all:
            - ' add '
            - '\SYSTEM\CurrentControlSet\Control\MiniNt'
    selection_powershell_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\powershell_ise.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_powershell_cmd1:
        CommandLine|contains:
            - 'New-Item '
            - 'ni '
    selection_powershell_cmd2:
        CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt'
    condition: all of selection_reg_* or all of selection_powershell_*
falsepositives:
    - Highly Unlikely
level: high

title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set
id: 8839e550-52d7-4958-9f2f-e13c1e736838
related:
    - id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key
      type: similar
status: experimental
description: |
    Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.
    Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.
    Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
references:
    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1112
    - car.2022-03-001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)'
    condition: selection
falsepositives:
    - Highly Unlikely
level: high

title: Suspicious Eventlog Clearing or Configuration Change Activity
id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
status: stable
description: |
    Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
    This technique were seen used by threat actors and ransomware strains in order to evade defenses.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
    - https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee
    - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
    - https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc
    - https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
    - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
    - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-09-26
modified: 2025-03-12
tags:
    - attack.defense-impairment
    - attack.t1685.005
    - attack.t1685.001
    - car.2016-04-002
logsource:
    category: process_creation
    product: windows
detection:
    selection_wevtutil_img:
        - Image|endswith: '\wevtutil.exe'
        - OriginalFileName: 'wevtutil.exe'
    selection_wevtutil_cmd:
        CommandLine|contains:
            - 'clear-log '          # clears specified log
            - ' cl '                # short version of 'clear-log'
            - 'set-log '            # modifies config of specified log. could be uset to set it to a tiny size
            - ' sl '                # short version of 'set-log'
            - 'lfn:'                # change log file location and name
    selection_other_ps_img:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
    selection_other_ps_cmd:
        - CommandLine|contains:
              - 'Clear-EventLog '
              - 'Remove-EventLog '
              - 'Limit-EventLog '
              - 'Clear-WinEvent '
        - CommandLine|contains|all:
              - 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
              - 'ClearLog'
        - CommandLine|contains|all:
              - 'Diagnostics.EventLog'
              - 'Clear'
    selection_other_wmi:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\wmic.exe'
        CommandLine|contains: 'ClearEventLog'
    filter_main_msiexec:
        # Example seen during office update/installation:
        #   ParentImage: C:\Windows\SysWOW64\msiexec.exe
        #   CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
        ParentImage:
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\msiexec.exe'
        CommandLine|contains: ' sl '
    condition: (all of selection_wevtutil_*) or (all of selection_other_ps_*) or (selection_other_wmi) and not 1 of filter_main_*
falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
    - Maintenance activity
level: high

title: Suspicious Svchost Process Access
id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
status: test
description: Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
references:
    - https://github.com/hlldz/Invoke-Phant0m
    - https://twitter.com/timbmsft/status/900724491076214784
author: Tim Burrell
date: 2020-01-02
modified: 2023-01-30
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: ':\Windows\System32\svchost.exe'
        GrantedAccess: '0x1F3FFF'
        CallTrace|contains: 'UNKNOWN'
    filter_main_msbuild:
        SourceImage|contains: ':\Program Files\Microsoft Visual Studio\'
        SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
        # Just to make sure it's "really" .NET :)
        CallTrace|contains:
            - 'Microsoft.Build.ni.dll'
            - 'System.ni.dll'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Sysmon Driver Unloaded Via Fltmc.EXE
id: 4d7cda18-1b12-4e52-b45c-d28653210df8
related:
    - id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic
      type: similar
status: test
description: Detects possible Sysmon filter driver unloaded via fltmc.exe
references:
    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
author: Kirill Kiryanov, oscd.community
date: 2019-10-23
modified: 2023-02-13
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1685
    - attack.t1685.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\fltMC.exe'
        - OriginalFileName: 'fltMC.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'unload'
            - 'sysmon'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Windows EventLog Autologger Session Registry Modification Via CommandLine
id: d7b81144-b866-48a4-9bcc-275dc69d870e
related:
    - id: f37b4bce-49d0-4087-9f5b-58bffda77316
      type: similar
status: experimental
description: |
    Detects attempts to disable Windows EventLog autologger sessions via registry modification.
    The AutoLogger event tracing session records events that occur early in the operating system boot process.
    Applications and device drivers can use the AutoLogger session to capture traces before the user logs in.
    Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
    - https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
    - https://ptylu.github.io/content/report/report.html?report=25
    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\reg.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'reg.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli_action:
        CommandLine|contains:
            - 'add '
            - 'Set-ItemProperty'
            - 'New-ItemProperty'
            - 'si ' # Set-ItemProperty alias
    selection_cli_base:
        CommandLine|contains: '\Control\WMI\Autologger\'
    selection_cli_key:
        CommandLine|contains:
            - 'Start' # Key used to disable specific autologger session like EventLog-Application, EventLog-System etc.
            - 'Enabled' # Key used to disable specific provider of autologger session
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification/info.yml
simulation:
    - type: atomic-red-team
      name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
      technique: T1562.001
      atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
    - type: atomic-red-team
      name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
      technique: T1562.001
      atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
    - type: atomic-red-team
      name: Disable EventLog-Application ETW Provider Via Registry - Cmd
      technique: T1562.001
      atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
    - type: atomic-red-team
      name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
      technique: T1562.001
      atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0

title: ETW Logging/Processing Option Disabled On IIS Server
id: a5b40a90-baf5-4bf7-a6f7-373494881d22
status: test
description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
author: frack113, Nasreddine Bencherchali
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|endswith: '@logTargetW3C'
        OldValue|contains: 'ETW'
    filter_main_etw_added:
        NewValue|contains: 'ETW'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator activity
level: medium

title: EVTX Created In Uncommon Location
id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
status: test
description: |
    Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
    This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
    Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
references:
    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023-01-02
modified: 2024-03-26
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: file_event
    product: windows
    definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon configuration. Example: <TargetFilename condition="end with">.evtx<TargetFilename>'
detection:
    selection:
        TargetFilename|endswith: '.evtx'
    filter_main_path:
        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
    filter_main_baseimage:
        TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
        TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrator or backup activity
    - An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "<log_name">_<uuid>.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml

title: Filter Driver Unloaded Via Fltmc.EXE
id: 4931188c-178e-4ee7-a348-39e8a7a56821
related:
    - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific
      type: derived
status: test
description: Detect filter driver unloading activity via fltmc.exe
references:
    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
    - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-13
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1685
    - attack.t1685.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\fltMC.exe'
        - OriginalFileName: 'fltMC.exe'
    selection_cli:
        CommandLine|contains: 'unload'
    filter_optional_avira:
        ParentImage|contains:
            - '\AppData\Local\Temp\'
            - ':\Windows\Temp\'
        ParentImage|endswith: '\endpoint-protection-installer-x64.tmp'
        CommandLine|endswith:
            - 'unload rtp_filesystem_filter'
            - 'unload rtp_filter'
    filter_optional_manageengine:
        ParentImage: 'C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe'
        CommandLine|endswith: 'unload DFMFilter'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: New Module Module Added To IIS Server
id: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
status: test
description: Detects the addition of a new module to an IIS server.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: frack113
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|contains: '/system.webServer/modules/add'
    filter_main_builtin:
        NewValue:
            - 'AnonymousAuthenticationModule'
            - 'CustomErrorModule'
            - 'DefaultDocumentModule'
            - 'DirectoryListingModule'
            - 'FileCacheModule'
            - 'HttpCacheModule'
            - 'HttpLoggingModule'
            - 'ProtocolSupportModule'
            - 'RequestFilteringModule'
            - 'StaticCompressionModule'
            - 'StaticFileModule'
            - 'TokenCacheModule'
            - 'UriCacheModule'
    filter_main_remove:
        NewValue: ''
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator activity
level: medium

title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
    - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
    - attack.collection
    - attack.discovery
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1547.001
    - attack.t1505.005
    - attack.t1556.002
    - attack.t1685
    - attack.t1574.007
    - attack.t1564.002
    - attack.t1546.008
    - attack.t1546.007
    - attack.t1547.014
    - attack.t1547.010
    - attack.t1547.002
    - attack.t1557
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\secedit.exe'
        - OriginalFileName: 'SeCEdit'
    selection_flags_discovery:
        CommandLine|contains|all:
            - '/export'
            - '/cfg'
    selection_flags_configure:
        CommandLine|contains|all:
            - '/configure'
            - '/db'
    # filter:
    #     SubjectUserName|endswith: '$'  SubjectUserName is from event ID 4719 in the Windows Security log
    condition: selection_img and (1 of selection_flags_*)
falsepositives:
    - Legitimate administrative use
level: medium

title: Previously Installed IIS Module Was Removed
id: 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f
status: test
description: Detects the removal of a previously installed IIS module.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: Nasreddine Bencherchali
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|contains: '/system.webServer/modules/remove'
    condition: selection
falsepositives:
    - Legitimate administrator activity
# Note: Upgrade after an initial baseline
level: low

title: Windows Event Auditing Disabled
id: 69aeb277-f15f-4d2d-b32a-55e883609563
related:
    - id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
      type: derived
status: test
description: |
    Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.
    This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.
    Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
    Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
references:
    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)'
date: 2017-11-19
modified: 2023-11-15
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    product: windows
    service: security
    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
    selection:
        EventID: 4719
        AuditPolicyChanges|contains:
            - '%%8448' # This is "Success removed"
            - '%%8450' # This is "Failure removed"
    filter_main_guid:
        # Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
        SubcategoryGuid:
            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
            - '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: low # Increase this after a testing period in your environment