T1562.002 Microsoft Sentinel · KQL

Detect Disable Windows Event Logging in Microsoft Sentinel

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. This includes stopping the EventLog service, modifying audit policies with auditpol.exe, altering registry keys that control event log autologger sessions, or using wevtutil to disable specific logs. Adversaries may also target application-specific logging such as IIS logs using appcmd.exe.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.002 Disable Windows Event Logging
Canonical reference
https://attack.mitre.org/techniques/T1562/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let EventLogTampering = dynamic(["sc stop EventLog", "sc config EventLog start=disabled", "net stop EventLog", "Stop-Service EventLog", "Set-Service -Name EventLog -Status Stopped", "wevtutil sl", "wevtutil cl", "auditpol /clear", "auditpol /set", "auditpol /remove /allusers"]);
let RegistryPaths = dynamic(["Control\\WMI\\Autologger\\EventLog-Security", "Control\\WMI\\Autologger\\EventLog-System", "Control\\WMI\\Autologger\\EventLog-Application", "Services\\EventLog"]);
union DeviceProcessEvents, DeviceRegistryEvents
| where Timestamp > ago(24h)
| where (ProcessCommandLine has_any (EventLogTampering))
   or (ActionType == "RegistryValueSet" and RegistryKey has_any (RegistryPaths) and RegistryValueName in ("Start", "Enabled", "EnableProperty"))
| extend TamperType = case(
    ProcessCommandLine has "sc stop EventLog" or ProcessCommandLine has "net stop EventLog" or ProcessCommandLine has "Stop-Service EventLog", "EventLog Service Stop",
    ProcessCommandLine has "sc config EventLog", "EventLog Service Disable",
    ProcessCommandLine has "wevtutil cl", "Event Log Clear",
    ProcessCommandLine has "wevtutil sl", "Event Log Settings Modified",
    ProcessCommandLine has "auditpol /clear" or ProcessCommandLine has "auditpol /remove", "Audit Policy Clear",
    ProcessCommandLine has "auditpol /set", "Audit Policy Modified",
    ActionType == "RegistryValueSet", "Autologger Registry Modified",
    "Unknown")
| project Timestamp, DeviceName, AccountName, TamperType, ProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
critical severity high confidence

Detects Windows event logging impairment through service manipulation, log clearing, audit policy modification, and autologger registry tampering. Covers EventLog service stopping/disabling, wevtutil log clearing/settings changes, auditpol policy clearing, and direct registry modifications to WMI Autologger keys that control Security/System/Application log generation.

Data Sources

Process: Process CreationCommand: Command ExecutionWindows Registry: Windows Registry Key ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceRegistryEvents

False Positives & Tuning

  • IT administrators clearing event logs during troubleshooting or after resolving known issues with full change control documentation
  • Log rotation scripts that archive and clear old event logs on a scheduled basis
  • SIEM agents or log forwarders that modify event log settings during initial deployment or reconfiguration
Download portable Sigma rule (.yml)

Other platforms for T1562.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Clear Security Event Log with wevtutil

    Expected signal: Security Event ID 1102 (audit log cleared) as the final event. Sysmon Event ID 1 with Image=wevtutil.exe and CommandLine='wevtutil cl Security'.

  2. Test 2Clear All Audit Policies with auditpol

    Expected signal: Security Event ID 4719 (system audit policy changed). Sysmon Event ID 1 with Image=auditpol.exe.

  3. Test 3Disable EventLog Service via Registry

    Expected signal: Sysmon Event ID 13: Registry value set for HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Start with value 4 (disabled). Sysmon Event ID 1: reg.exe process creation.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1070.001Clear Windows Event LogsT1562.006Indicator BlockingT1562.001Disable or Modify ToolsT1112Modify RegistryT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections