Detect Disable Windows Event Logging in Splunk
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. This includes stopping the EventLog service, modifying audit policies with auditpol.exe, altering registry keys that control event log autologger sessions, or using wevtutil to disable specific logs. Adversaries may also target application-specific logging such as IIS logs using appcmd.exe.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.002 Disable Windows Event Logging
- Canonical reference
- https://attack.mitre.org/techniques/T1562/002/
SPL Detection Query
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(CommandLine="*sc stop EventLog*" OR CommandLine="*sc config eventlog*" OR CommandLine="*net stop EventLog*" OR CommandLine="*Stop-Service*EventLog*" OR CommandLine="*wevtutil cl*" OR CommandLine="*wevtutil sl*" OR CommandLine="*auditpol /clear*" OR CommandLine="*auditpol /set*" OR CommandLine="*auditpol /remove*"))
OR
(index=wineventlog sourcetype="WinEventLog:Security" EventCode=1102)
OR
(index=wineventlog sourcetype="WinEventLog:Security" EventCode=4719)
| eval TamperType=case(
EventCode==1 AND match(CommandLine, "(?i)sc\s+(stop|config).*eventlog"), "EventLog Service Tampering",
EventCode==1 AND match(CommandLine, "(?i)(net\s+stop|stop-service).*eventlog"), "EventLog Service Stop",
EventCode==1 AND match(CommandLine, "(?i)wevtutil\s+cl"), "Event Log Clear (wevtutil)",
EventCode==1 AND match(CommandLine, "(?i)wevtutil\s+sl"), "Event Log Settings Modified",
EventCode==1 AND match(CommandLine, "(?i)auditpol\s+/(clear|remove)"), "Audit Policy Cleared",
EventCode==1 AND match(CommandLine, "(?i)auditpol\s+/set"), "Audit Policy Modified",
EventCode==1102, "Security Log Cleared (1102)",
EventCode==4719, "Audit Policy Changed (4719)",
true(), "Unknown")
| table _time, host, User, EventCode, TamperType, CommandLine, Message
| sort - _timeDetects event logging impairment via process creation (Sysmon), Security log cleared (1102), and audit policy changes (4719). Event ID 1102 is the last event written to the Security log when it is cleared, making it a critical indicator.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT administrators clearing event logs during troubleshooting or after resolving known issues with full change control documentation
- Log rotation scripts that archive and clear old event logs on a scheduled basis
- SIEM agents or log forwarders that modify event log settings during initial deployment or reconfiguration
Other platforms for T1562.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clear Security Event Log with wevtutil
Expected signal: Security Event ID 1102 (audit log cleared) as the final event. Sysmon Event ID 1 with Image=wevtutil.exe and CommandLine='wevtutil cl Security'.
- Test 2Clear All Audit Policies with auditpol
Expected signal: Security Event ID 4719 (system audit policy changed). Sysmon Event ID 1 with Image=auditpol.exe.
- Test 3Disable EventLog Service via Registry
Expected signal: Sysmon Event ID 13: Registry value set for HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Start with value 4 (disabled). Sysmon Event ID 1: reg.exe process creation.
References (5)
- https://attack.mitre.org/techniques/T1562/002/
- https://ptylu.github.io/content/report/report.html?report=25
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
- https://learn.microsoft.com/en-us/windows/win32/eventlog/event-log-security
Unlock Pro Content
Get the full detection package for T1562.002 including response playbook, investigation guide, and atomic red team tests.