From 3d5f1796e6611dd2a2f442c9a064e93bb1bfdd50 Mon Sep 17 00:00:00 2001
From: Daniel Melgarejo <danimegar@gmail.com>
Date: Wed, 6 May 2020 14:21:08 +0200
Subject: [PATCH] Added more rules related to Windows Eventlog

---
 rules/0590-win-system_rules.xml  | 20 ++++++++++++++++++++
 rules/0610-win-ms_logs_rules.xml | 13 +++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/rules/0590-win-system_rules.xml b/rules/0590-win-system_rules.xml
index 0247b22a7..181438af8 100644
--- a/rules/0590-win-system_rules.xml
+++ b/rules/0590-win-system_rules.xml
@@ -323,4 +323,24 @@
     <options>no_email_alert</options>
   </rule>
 
+  <rule id="61139" level="8">
+    <if_sid>61102</if_sid>
+    <field name="win.system.eventID">^6008$</field>
+    <description>Unexpected system shutdown.</description>
+    <mitre>
+      <id>T1529</id>
+    </mitre>
+    <options>no_full_log</options>
+  </rule>
+
+  <rule id="61140" level="7">
+    <if_sid>61100</if_sid>
+    <field name="win.system.eventID">^1074$</field>
+    <description>System has been shutdown by a process/user.</description>
+    <mitre>
+      <id>T1529</id>
+    </mitre>
+    <options>no_full_log</options>
+  </rule>
+
 </group>
diff --git a/rules/0610-win-ms_logs_rules.xml b/rules/0610-win-ms_logs_rules.xml
index e0abe8563..7acdcf535 100644
--- a/rules/0610-win-ms_logs_rules.xml
+++ b/rules/0610-win-ms_logs_rules.xml
@@ -58,6 +58,8 @@
     <group>log_clearing,gpg13_10.1,gdpr_II_5.1.f,</group>
   </rule>
 
+    <!-- {"win":{"system":{"providerName":"Microsoft-Windows-Eventlog","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Microsoft-Windows-Eventlog","eventID":"6006","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2018-11-27T13:03:51.594213100Z","eventRecordID":"8453","correlation":"","processID":"608","threadID":"1296","channel":"Microsoft-Windows-Eventlog","computer":"hffg","message":"The Event log service was started.","severityValue":"INFORMATION"},"eventdata":{"subjectUserSid":"S-1-5-21-571","subjectUserName":"HFFG$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","transactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","newState":"52","resourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","processId":"0x3f8","processName":"C:\\Windows\\System32\\svchost.exe"}}} -->
+
   <!-- {"win":{"system":{"providerName":"Microsoft-Windows-Eventlog","providerGuid":"{555908d1-a6d7-4695-8e1e-26931d2012f4}","eventSourceName":"Microsoft-Windows-Eventlog","eventID":"6005","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2018-11-27T13:03:51.594213100Z","eventRecordID":"8453","correlation":"","processID":"608","threadID":"1296","channel":"Microsoft-Windows-Eventlog","computer":"hffg","message":"The Event log service was started.","severityValue":"INFORMATION"},"eventdata":{"subjectUserSid":"S-1-5-21-571","subjectUserName":"HFFG$","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","transactionId":"{D2399FF4-F177-11E8-82BA-08002750D7C5}","newState":"52","resourceManager":"{7D5F0E1F-ABCB-11E8-A2E2-D5514FE2B72B}","processId":"0x3f8","processName":"C:\\Windows\\System32\\svchost.exe"}}} -->
   <rule id="63105" level="5">
     <if_sid>63100</if_sid>
@@ -81,4 +83,15 @@
     <description>Multiple Eventlog warning events</description>
     <options>no_full_log</options>
   </rule>
+
+  <rule id="63108" level="7">
+    <if_sid>63100</if_sid>
+    <field name="win.system.eventID">^6006$</field>
+    <description>The Event log service was stopped.</description>
+    <mitre>
+      <id>T1529</id>
+    </mitre>
+    <options>no_full_log</options>
+  </rule>
+
 </group>