Detect Disable Windows Event Logging in IBM QRadar
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. This includes stopping the EventLog service, modifying audit policies with auditpol.exe, altering registry keys that control event log autologger sessions, or using wevtutil to disable specific logs. Adversaries may also target application-specific logging such as IIS logs using appcmd.exe.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.002 Disable Windows Event Logging
- Canonical reference
- https://attack.mitre.org/techniques/T1562/002/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
sourceip AS SourceIP,
username AS Username,
QIDNAME(qid) AS EventName,
"Command Line" AS CommandLine,
"Process Name" AS ProcessName,
CATEGORYNAME(category) AS Category
FROM events
WHERE
(
"Command Line" ILIKE '%sc stop eventlog%' OR
"Command Line" ILIKE '%sc config eventlog%' OR
"Command Line" ILIKE '%net stop eventlog%' OR
"Command Line" ILIKE '%stop-service%eventlog%' OR
"Command Line" ILIKE '%set-service%eventlog%' OR
"Command Line" ILIKE '%wevtutil cl%' OR
"Command Line" ILIKE '%wevtutil sl%' OR
"Command Line" ILIKE '%auditpol /clear%' OR
"Command Line" ILIKE '%auditpol /set%' OR
"Command Line" ILIKE '%auditpol /remove%'
)
OR
(
CATEGORYNAME(category) ILIKE '%audit%' AND
(
QIDNAME(qid) ILIKE '%log cleared%' OR
QIDNAME(qid) ILIKE '%audit policy%changed%' OR
QIDNAME(qid) ILIKE '%security log%cleared%'
)
)
ORDER BY starttime DESC
LAST 24 HOURSAQL query for IBM QRadar detecting Windows event logging tampering via command-line patterns (sc.exe, net.exe, wevtutil, auditpol, PowerShell Stop-Service) and QID-matched events for audit log cleared and audit policy changed. Relies on QRadar DSM custom properties for Command Line extraction from Sysmon or Windows Security events.
Data Sources
Required Tables
False Positives & Tuning
- Automated patch management or MDM solutions invoking auditpol or sc.exe during system configuration phases
- Security team running wevtutil cl on dev or lab systems to clear logs between test runs
- Domain Group Policy Objects applying audit policy baselines via auditpol /set on machine startup
Other platforms for T1562.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clear Security Event Log with wevtutil
Expected signal: Security Event ID 1102 (audit log cleared) as the final event. Sysmon Event ID 1 with Image=wevtutil.exe and CommandLine='wevtutil cl Security'.
- Test 2Clear All Audit Policies with auditpol
Expected signal: Security Event ID 4719 (system audit policy changed). Sysmon Event ID 1 with Image=auditpol.exe.
- Test 3Disable EventLog Service via Registry
Expected signal: Sysmon Event ID 13: Registry value set for HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Start with value 4 (disabled). Sysmon Event ID 1: reg.exe process creation.
References (5)
- https://attack.mitre.org/techniques/T1562/002/
- https://ptylu.github.io/content/report/report.html?report=25
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
- https://learn.microsoft.com/en-us/windows/win32/eventlog/event-log-security
Unlock Pro Content
Get the full detection package for T1562.002 including response playbook, investigation guide, and atomic red team tests.