Detect Disable Windows Event Logging in CrowdStrike LogScale
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. This includes stopping the EventLog service, modifying audit policies with auditpol.exe, altering registry keys that control event log autologger sessions, or using wevtutil to disable specific logs. Adversaries may also target application-specific logging such as IIS logs using appcmd.exe.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.002 Disable Windows Event Logging
- Canonical reference
- https://attack.mitre.org/techniques/T1562/002/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(sc\s+(stop|config)\s+eventlog|net\s+stop\s+eventlog|(stop-service|set-service).{0,40}eventlog|wevtutil\s+(cl|sl)|auditpol\s+\/(clear|set|remove))/
| case {
CommandLine = /(?i)sc\s+(stop|config).*eventlog/ => TamperType := "EventLog Service Tampering" ;
CommandLine = /(?i)(net\s+stop|stop-service).*eventlog/ => TamperType := "EventLog Service Stop" ;
CommandLine = /(?i)wevtutil\s+cl/ => TamperType := "Event Log Clear via wevtutil" ;
CommandLine = /(?i)wevtutil\s+sl/ => TamperType := "Event Log Settings Modified" ;
CommandLine = /(?i)auditpol\s+\/clear/ => TamperType := "Audit Policy Cleared" ;
CommandLine = /(?i)auditpol\s+\/set/ => TamperType := "Audit Policy Modified" ;
CommandLine = /(?i)auditpol\s+\/remove/ => TamperType := "Audit Policy Users Removed" ;
* => TamperType := "Unknown"
}
| table([ComputerName, UserName, FileName, CommandLine, TamperType, @timestamp])
| sort(field=@timestamp, order=desc, limit=500)CrowdStrike LogScale (Falcon) query using ProcessRollup2 events to detect EventLog service tampering, wevtutil log manipulation, and auditpol audit policy changes. Uses regex alternation for efficient single-pass matching and case expressions for human-readable TamperType classification.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor itself or other endpoint agents invoking wevtutil or sc.exe during installation, update, or self-healing routines
- Windows Defender or third-party AV products that reconfigure audit logging via auditpol as part of tamper protection hardening
- IT automation platforms (Ansible, SCCM, Puppet) executing EventLog configuration commands during OS baseline enforcement
Other platforms for T1562.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clear Security Event Log with wevtutil
Expected signal: Security Event ID 1102 (audit log cleared) as the final event. Sysmon Event ID 1 with Image=wevtutil.exe and CommandLine='wevtutil cl Security'.
- Test 2Clear All Audit Policies with auditpol
Expected signal: Security Event ID 4719 (system audit policy changed). Sysmon Event ID 1 with Image=auditpol.exe.
- Test 3Disable EventLog Service via Registry
Expected signal: Sysmon Event ID 13: Registry value set for HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Start with value 4 (disabled). Sysmon Event ID 1: reg.exe process creation.
References (5)
- https://attack.mitre.org/techniques/T1562/002/
- https://ptylu.github.io/content/report/report.html?report=25
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
- https://learn.microsoft.com/en-us/windows/win32/eventlog/event-log-security
Unlock Pro Content
Get the full detection package for T1562.002 including response playbook, investigation guide, and atomic red team tests.