From 1a2a4884e81da6746b2a7cf48716e56825e129e8 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 20 Sep 2020 21:57:42 -0500
Subject: [PATCH] T1562.002 Disable Windows Event Logging

---
 DefenseEvasion.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/DefenseEvasion.md b/DefenseEvasion.md
index 4f4749e..eaebf87 100644
--- a/DefenseEvasion.md
+++ b/DefenseEvasion.md
@@ -125,6 +125,20 @@ This Atomic tests detections of certutil encoding and decoding of executables, a
 ### T1562.002 Disable Windows Event Logging
 Atomics: [T1562.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md)
 
+#### Atomic #1 - Disable IIS Logging
+
+```
+TgtProcName = "appcmd.exe" AND TgtProcCmdLine ContainsCIS "/dontLog:true" AND TgtProcCmdLine ContainsCIS "/section:httplogging"
+```
+
+#### Atomic #2 - Kill Eventlog Service Threads
+
+Detection is specific to Invoke-Phant0m strings as the test uses it, and we're hoping to catch renamed and obfuscated versions by catching the TerminateThread call.
+
+```
+SrcProcCmdLine ContainsCIS "Invoke-Phant0m" OR SrcProcCmdScript ContainsCIS "$Kernel32::TerminateThread($getThread" OR SrcProcCmdScript ContainsCIS "Invoke-Phant0m"
+```
+
 ### T1562.004 Disable or Modify System Firewall
 Atomics: [T1562.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md)