T1562.002 Google Chronicle · YARA-L

Detect Disable Windows Event Logging in Google Chronicle

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. This includes stopping the EventLog service, modifying audit policies with auditpol.exe, altering registry keys that control event log autologger sessions, or using wevtutil to disable specific logs. Adversaries may also target application-specific logging such as IIS logs using appcmd.exe.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.002 Disable Windows Event Logging
Canonical reference
https://attack.mitre.org/techniques/T1562/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1562_002_disable_windows_event_logging {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects attempts to disable or tamper with Windows event logging via sc.exe, net.exe, wevtutil.exe, auditpol.exe, or PowerShell Stop-Service/Set-Service commands"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.002"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1562/002/"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    re.regex(
      $e.target.process.command_line,
      `(?i)(sc\s+(stop|config)\s+eventlog|net\s+stop\s+eventlog|(stop-service|set-service).{0,40}eventlog|wevtutil\s+(cl|sl)\b|auditpol\s+/(clear|set|remove))`
    )

  condition:
    $e
}

rule t1562_002_audit_log_cleared {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Windows Security audit log cleared (EID 1102) or audit policy changed (EID 4719) — indicators of T1562.002 post-tampering evidence destruction"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.002"
    severity = "CRITICAL"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.principal.hostname = $hostname
    $e.metadata.product_event_type in ("1102", "4719")

  condition:
    $e
}
high severity high confidence

Two Chronicle YARA-L 2.0 rules for T1562.002: the first matches process launch events where the command line contains EventLog service tampering patterns (sc.exe, net.exe, wevtutil, auditpol, PowerShell); the second detects the resulting artifacts — Windows Security log cleared (EID 1102) or audit policy changed (EID 4719).

Data Sources

Google Chronicle UDM with Windows Event Log ingestionChronicle Forwarder with Sysmon feedWindows Security Event Log via Chronicle

Required Tables

UDM events (PROCESS_LAUNCH)UDM events (USER_RESOURCE_ACCESS)

False Positives & Tuning

  • System administrators running auditpol.exe during quarterly audit policy reviews or after Active Directory Group Policy changes
  • Automated penetration testing tooling in authorized red team engagements that clears logs as part of post-exploitation cleanup simulation
  • Windows Server backup agents using wevtutil sl to reconfigure log size limits or retention policies during maintenance
Download portable Sigma rule (.yml)

Other platforms for T1562.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Clear Security Event Log with wevtutil

    Expected signal: Security Event ID 1102 (audit log cleared) as the final event. Sysmon Event ID 1 with Image=wevtutil.exe and CommandLine='wevtutil cl Security'.

  2. Test 2Clear All Audit Policies with auditpol

    Expected signal: Security Event ID 4719 (system audit policy changed). Sysmon Event ID 1 with Image=auditpol.exe.

  3. Test 3Disable EventLog Service via Registry

    Expected signal: Sysmon Event ID 13: Registry value set for HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Start with value 4 (disabled). Sysmon Event ID 1: reg.exe process creation.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1070.001Clear Windows Event LogsT1562.006Indicator BlockingT1562.001Disable or Modify ToolsT1112Modify RegistryT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections