Detect Disable Windows Event Logging in Elastic Security
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. This includes stopping the EventLog service, modifying audit policies with auditpol.exe, altering registry keys that control event log autologger sessions, or using wevtutil to disable specific logs. Adversaries may also target application-specific logging such as IIS logs using appcmd.exe.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.002 Disable Windows Event Logging
- Canonical reference
- https://attack.mitre.org/techniques/T1562/002/
Elastic Detection Query
any where
(
event.category == "process" and event.type == "start" and
(
(process.name : ("sc.exe", "net.exe", "net1.exe") and process.command_line : ("*stop*eventlog*", "*config*eventlog*")) or
(process.name : ("powershell.exe", "pwsh.exe") and process.command_line : ("*Stop-Service*EventLog*", "*Set-Service*EventLog*")) or
(process.name == "wevtutil.exe" and process.args : ("cl", "sl")) or
(process.name == "auditpol.exe" and process.args : ("/clear", "/set", "/remove"))
)
) or
(
event.category == "registry" and event.type in ("change", "creation") and
registry.path : (
"*\\Control\\WMI\\Autologger\\EventLog-Security*",
"*\\Control\\WMI\\Autologger\\EventLog-System*",
"*\\Control\\WMI\\Autologger\\EventLog-Application*",
"*\\SYSTEM\\CurrentControlSet\\Services\\EventLog*"
) and
registry.value : ("Start", "Enabled", "EnableProperty")
) or
winlog.event_id == 1102 or
winlog.event_id == 4719Detects Windows event logging tampering across four vectors: (1) process commands targeting EventLog via sc.exe, net.exe, wevtutil.exe, auditpol.exe, or PowerShell; (2) autologger and EventLog service registry key modifications; (3) security audit log cleared (EID 1102); (4) audit policy changes (EID 4719). Maps to MITRE T1562.002.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators running sc.exe or net.exe against EventLog during planned maintenance windows — correlate against change tickets
- Group Policy application or compliance hardening scripts using auditpol /set to baseline audit settings on domain join or scheduled tasks
- EDR or backup agents that write to autologger registry keys as part of their own telemetry or VSS snapshot instrumentation
Other platforms for T1562.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clear Security Event Log with wevtutil
Expected signal: Security Event ID 1102 (audit log cleared) as the final event. Sysmon Event ID 1 with Image=wevtutil.exe and CommandLine='wevtutil cl Security'.
- Test 2Clear All Audit Policies with auditpol
Expected signal: Security Event ID 4719 (system audit policy changed). Sysmon Event ID 1 with Image=auditpol.exe.
- Test 3Disable EventLog Service via Registry
Expected signal: Sysmon Event ID 13: Registry value set for HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Start with value 4 (disabled). Sysmon Event ID 1: reg.exe process creation.
References (5)
- https://attack.mitre.org/techniques/T1562/002/
- https://ptylu.github.io/content/report/report.html?report=25
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
- https://learn.microsoft.com/en-us/windows/win32/eventlog/event-log-security
Unlock Pro Content
Get the full detection package for T1562.002 including response playbook, investigation guide, and atomic red team tests.