T1562.002 Disable Windows Event Logging Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let EventLogTampering = dynamic(["sc stop EventLog", "sc config EventLog start=disabled", "net stop EventLog", "Stop-Service EventLog", "Set-Service -Name EventLog -Status Stopped", "wevtutil sl", "wevtutil cl", "auditpol /clear", "auditpol /set", "auditpol /remove /allusers"]);
let RegistryPaths = dynamic(["Control\\WMI\\Autologger\\EventLog-Security", "Control\\WMI\\Autologger\\EventLog-System", "Control\\WMI\\Autologger\\EventLog-Application", "Services\\EventLog"]);
union DeviceProcessEvents, DeviceRegistryEvents
| where Timestamp > ago(24h)
| where (ProcessCommandLine has_any (EventLogTampering))
   or (ActionType == "RegistryValueSet" and RegistryKey has_any (RegistryPaths) and RegistryValueName in ("Start", "Enabled", "EnableProperty"))
| extend TamperType = case(
    ProcessCommandLine has "sc stop EventLog" or ProcessCommandLine has "net stop EventLog" or ProcessCommandLine has "Stop-Service EventLog", "EventLog Service Stop",
    ProcessCommandLine has "sc config EventLog", "EventLog Service Disable",
    ProcessCommandLine has "wevtutil cl", "Event Log Clear",
    ProcessCommandLine has "wevtutil sl", "Event Log Settings Modified",
    ProcessCommandLine has "auditpol /clear" or ProcessCommandLine has "auditpol /remove", "Audit Policy Clear",
    ProcessCommandLine has "auditpol /set", "Audit Policy Modified",
    ActionType == "RegistryValueSet", "Autologger Registry Modified",
    "Unknown")
| project Timestamp, DeviceName, AccountName, TamperType, ProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

IT administrators clearing event logs during troubleshooting or after resolving known issues with full change control documentation
Log rotation scripts that archive and clear old event logs on a scheduled basis
SIEM agents or log forwarders that modify event log settings during initial deployment or reconfiguration

Splunk

spl

(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*sc stop EventLog*" OR CommandLine="*sc config eventlog*" OR CommandLine="*net stop EventLog*" OR CommandLine="*Stop-Service*EventLog*" OR CommandLine="*wevtutil cl*" OR CommandLine="*wevtutil sl*" OR CommandLine="*auditpol /clear*" OR CommandLine="*auditpol /set*" OR CommandLine="*auditpol /remove*"))
OR
(index=wineventlog sourcetype="WinEventLog:Security" EventCode=1102)
OR
(index=wineventlog sourcetype="WinEventLog:Security" EventCode=4719)
| eval TamperType=case(
    EventCode==1 AND match(CommandLine, "(?i)sc\s+(stop|config).*eventlog"), "EventLog Service Tampering",
    EventCode==1 AND match(CommandLine, "(?i)(net\s+stop|stop-service).*eventlog"), "EventLog Service Stop",
    EventCode==1 AND match(CommandLine, "(?i)wevtutil\s+cl"), "Event Log Clear (wevtutil)",
    EventCode==1 AND match(CommandLine, "(?i)wevtutil\s+sl"), "Event Log Settings Modified",
    EventCode==1 AND match(CommandLine, "(?i)auditpol\s+/(clear|remove)"), "Audit Policy Cleared",
    EventCode==1 AND match(CommandLine, "(?i)auditpol\s+/set"), "Audit Policy Modified",
    EventCode==1102, "Security Log Cleared (1102)",
    EventCode==4719, "Audit Policy Changed (4719)",
    true(), "Unknown")
| table _time, host, User, EventCode, TamperType, CommandLine, Message
| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation Windows Event Log: Security Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators clearing event logs during troubleshooting or after resolving known issues with full change control documentation
Log rotation scripts that archive and clear old event logs on a scheduled basis
SIEM agents or log forwarders that modify event log settings during initial deployment or reconfiguration

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    (
      (process.name : ("sc.exe", "net.exe", "net1.exe") and process.command_line : ("*stop*eventlog*", "*config*eventlog*")) or
      (process.name : ("powershell.exe", "pwsh.exe") and process.command_line : ("*Stop-Service*EventLog*", "*Set-Service*EventLog*")) or
      (process.name == "wevtutil.exe" and process.args : ("cl", "sl")) or
      (process.name == "auditpol.exe" and process.args : ("/clear", "/set", "/remove"))
    )
  ) or
  (
    event.category == "registry" and event.type in ("change", "creation") and
    registry.path : (
      "*\\Control\\WMI\\Autologger\\EventLog-Security*",
      "*\\Control\\WMI\\Autologger\\EventLog-System*",
      "*\\Control\\WMI\\Autologger\\EventLog-Application*",
      "*\\SYSTEM\\CurrentControlSet\\Services\\EventLog*"
    ) and
    registry.value : ("Start", "Enabled", "EnableProperty")
  ) or
  winlog.event_id == 1102 or
  winlog.event_id == 4719

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat (Windows Event Logs) Elastic Agent with Windows integration Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-* logs-windows.sysmon_operational-* logs-windows.security-*

False Positives

IT administrators running sc.exe or net.exe against EventLog during planned maintenance windows — correlate against change tickets
Group Policy application or compliance hardening scripts using auditpol /set to baseline audit settings on domain join or scheduled tasks
EDR or backup agents that write to autologger registry keys as part of their own telemetry or VSS snapshot instrumentation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  "Command Line" AS CommandLine,
  "Process Name" AS ProcessName,
  CATEGORYNAME(category) AS Category
FROM events
WHERE
  (
    "Command Line" ILIKE '%sc stop eventlog%' OR
    "Command Line" ILIKE '%sc config eventlog%' OR
    "Command Line" ILIKE '%net stop eventlog%' OR
    "Command Line" ILIKE '%stop-service%eventlog%' OR
    "Command Line" ILIKE '%set-service%eventlog%' OR
    "Command Line" ILIKE '%wevtutil cl%' OR
    "Command Line" ILIKE '%wevtutil sl%' OR
    "Command Line" ILIKE '%auditpol /clear%' OR
    "Command Line" ILIKE '%auditpol /set%' OR
    "Command Line" ILIKE '%auditpol /remove%'
  )
  OR
  (
    CATEGORYNAME(category) ILIKE '%audit%' AND
    (
      QIDNAME(qid) ILIKE '%log cleared%' OR
      QIDNAME(qid) ILIKE '%audit policy%changed%' OR
      QIDNAME(qid) ILIKE '%security log%cleared%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar with Windows Security Event Log DSM Sysmon log source via Windows Event Log DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Automated patch management or MDM solutions invoking auditpol or sc.exe during system configuration phases
Security team running wevtutil cl on dev or lab systems to clear logs between test runs
Domain Group Policy Objects applying audit policy baselines via auditpol /set on machine startup

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*WinEventLog*)
| where (EventID in ("1", "4688") and (
    CommandLine matches /(?i)sc\s+(stop|config)\s+eventlog/ or
    CommandLine matches /(?i)net\s+stop\s+eventlog/ or
    CommandLine matches /(?i)(stop-service|set-service).{0,40}eventlog/ or
    CommandLine matches /(?i)wevtutil\s+(cl|sl)/ or
    CommandLine matches /(?i)auditpol\s+\/(clear|set|remove)/
  )) or EventID = "1102" or EventID = "4719"
| eval TamperType = if(EventID = "1102", "Security Log Cleared (EID 1102)",
    if(EventID = "4719", "Audit Policy Changed (EID 4719)",
    if(CommandLine matches /(?i)sc\s+(stop|config).*eventlog/, "EventLog Service Tampering",
    if(CommandLine matches /(?i)(net\s+stop|stop-service).*eventlog/, "EventLog Service Stop",
    if(CommandLine matches /(?i)wevtutil\s+cl/, "Event Log Clear via wevtutil",
    if(CommandLine matches /(?i)wevtutil\s+sl/, "Event Log Settings Modified via wevtutil",
    if(CommandLine matches /(?i)auditpol\s+\/clear/, "Audit Policy Cleared",
    if(CommandLine matches /(?i)auditpol\s+\/set/, "Audit Policy Modified",
    if(CommandLine matches /(?i)auditpol\s+\/remove/, "Audit Policy Users Removed",
    "Unknown")))))))))
| table _time, Computer, User, EventID, TamperType, CommandLine
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic Windows Event Log source Sysmon operational log via Sumo Logic installed collector Windows Security Event Log

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

IT operations running wevtutil cl on test systems or during log rotation procedures without proper change documentation
Compliance tooling that reconfigures audit policies (auditpol /set) on a scheduled basis as part of CIS benchmark enforcement
Endpoint management agents stopping and restarting the EventLog service during software deployment or patching cycles

Google Chronicle / SecOps

yaral

rule t1562_002_disable_windows_event_logging {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects attempts to disable or tamper with Windows event logging via sc.exe, net.exe, wevtutil.exe, auditpol.exe, or PowerShell Stop-Service/Set-Service commands"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.002"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1562/002/"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    re.regex(
      $e.target.process.command_line,
      `(?i)(sc\s+(stop|config)\s+eventlog|net\s+stop\s+eventlog|(stop-service|set-service).{0,40}eventlog|wevtutil\s+(cl|sl)\b|auditpol\s+/(clear|set|remove))`
    )

  condition:
    $e
}

rule t1562_002_audit_log_cleared {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Windows Security audit log cleared (EID 1102) or audit policy changed (EID 4719) — indicators of T1562.002 post-tampering evidence destruction"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.002"
    severity = "CRITICAL"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.principal.hostname = $hostname
    $e.metadata.product_event_type in ("1102", "4719")

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM with Windows Event Log ingestion Chronicle Forwarder with Sysmon feed Windows Security Event Log via Chronicle

Required Tables

UDM events (PROCESS_LAUNCH) UDM events (USER_RESOURCE_ACCESS)

False Positives

System administrators running auditpol.exe during quarterly audit policy reviews or after Active Directory Group Policy changes
Automated penetration testing tooling in authorized red team engagements that clears logs as part of post-exploitation cleanup simulation
Windows Server backup agents using wevtutil sl to reconfigure log size limits or retention policies during maintenance

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(sc\s+(stop|config)\s+eventlog|net\s+stop\s+eventlog|(stop-service|set-service).{0,40}eventlog|wevtutil\s+(cl|sl)|auditpol\s+\/(clear|set|remove))/
| case {
    CommandLine = /(?i)sc\s+(stop|config).*eventlog/ => TamperType := "EventLog Service Tampering" ;
    CommandLine = /(?i)(net\s+stop|stop-service).*eventlog/ => TamperType := "EventLog Service Stop" ;
    CommandLine = /(?i)wevtutil\s+cl/ => TamperType := "Event Log Clear via wevtutil" ;
    CommandLine = /(?i)wevtutil\s+sl/ => TamperType := "Event Log Settings Modified" ;
    CommandLine = /(?i)auditpol\s+\/clear/ => TamperType := "Audit Policy Cleared" ;
    CommandLine = /(?i)auditpol\s+\/set/ => TamperType := "Audit Policy Modified" ;
    CommandLine = /(?i)auditpol\s+\/remove/ => TamperType := "Audit Policy Users Removed" ;
    * => TamperType := "Unknown"
  }
| table([ComputerName, UserName, FileName, CommandLine, TamperType, @timestamp])
| sort(field=@timestamp, order=desc, limit=500)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor (ProcessRollup2 events) Falcon Data Replicator or LogScale SIEM connector

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself or other endpoint agents invoking wevtutil or sc.exe during installation, update, or self-healing routines
Windows Defender or third-party AV products that reconfigure audit logging via auditpol as part of tamper protection hardening
IT automation platforms (Ansible, SCCM, Puppet) executing EventLog configuration commands during OS baseline enforcement

Disable Windows Event Logging

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections