Detect Disable Windows Event Logging in Sumo Logic CSE
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. This includes stopping the EventLog service, modifying audit policies with auditpol.exe, altering registry keys that control event log autologger sessions, or using wevtutil to disable specific logs. Adversaries may also target application-specific logging such as IIS logs using appcmd.exe.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.002 Disable Windows Event Logging
- Canonical reference
- https://attack.mitre.org/techniques/T1562/002/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*WinEventLog*)
| where (EventID in ("1", "4688") and (
CommandLine matches /(?i)sc\s+(stop|config)\s+eventlog/ or
CommandLine matches /(?i)net\s+stop\s+eventlog/ or
CommandLine matches /(?i)(stop-service|set-service).{0,40}eventlog/ or
CommandLine matches /(?i)wevtutil\s+(cl|sl)/ or
CommandLine matches /(?i)auditpol\s+\/(clear|set|remove)/
)) or EventID = "1102" or EventID = "4719"
| eval TamperType = if(EventID = "1102", "Security Log Cleared (EID 1102)",
if(EventID = "4719", "Audit Policy Changed (EID 4719)",
if(CommandLine matches /(?i)sc\s+(stop|config).*eventlog/, "EventLog Service Tampering",
if(CommandLine matches /(?i)(net\s+stop|stop-service).*eventlog/, "EventLog Service Stop",
if(CommandLine matches /(?i)wevtutil\s+cl/, "Event Log Clear via wevtutil",
if(CommandLine matches /(?i)wevtutil\s+sl/, "Event Log Settings Modified via wevtutil",
if(CommandLine matches /(?i)auditpol\s+\/clear/, "Audit Policy Cleared",
if(CommandLine matches /(?i)auditpol\s+\/set/, "Audit Policy Modified",
if(CommandLine matches /(?i)auditpol\s+\/remove/, "Audit Policy Users Removed",
"Unknown")))))))))
| table _time, Computer, User, EventID, TamperType, CommandLine
| sort by _time descSumo Logic CSE query detecting Windows event logging tampering via Sysmon EID 1 or Security EID 4688 process creation events matching sc.exe, net.exe, wevtutil, auditpol, and PowerShell patterns, plus direct detection of audit log cleared (EID 1102) and audit policy changed (EID 4719).
Data Sources
Required Tables
False Positives & Tuning
- IT operations running wevtutil cl on test systems or during log rotation procedures without proper change documentation
- Compliance tooling that reconfigures audit policies (auditpol /set) on a scheduled basis as part of CIS benchmark enforcement
- Endpoint management agents stopping and restarting the EventLog service during software deployment or patching cycles
Other platforms for T1562.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Clear Security Event Log with wevtutil
Expected signal: Security Event ID 1102 (audit log cleared) as the final event. Sysmon Event ID 1 with Image=wevtutil.exe and CommandLine='wevtutil cl Security'.
- Test 2Clear All Audit Policies with auditpol
Expected signal: Security Event ID 4719 (system audit policy changed). Sysmon Event ID 1 with Image=auditpol.exe.
- Test 3Disable EventLog Service via Registry
Expected signal: Sysmon Event ID 13: Registry value set for HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Start with value 4 (disabled). Sysmon Event ID 1: reg.exe process creation.
References (5)
- https://attack.mitre.org/techniques/T1562/002/
- https://ptylu.github.io/content/report/report.html?report=25
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
- https://learn.microsoft.com/en-us/windows/win32/eventlog/event-log-security
Unlock Pro Content
Get the full detection package for T1562.002 including response playbook, investigation guide, and atomic red team tests.