title: Disable Windows Event Logging (T1562.002)
id: df00tech-t1562-002
status: experimental
description: "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. This includes stopping the EventLog service, modifying audit policies with auditpol.exe, altering registry keys that control event log autologger sessions, or using wevtutil to disable specific logs. Adversaries may also target application-specific logging such as IIS logs using appcmd.exe."
references:
  - https://attack.mitre.org/techniques/T1562/002/
  - https://df00tech.com/detections/T1562.002
author: df00tech
date: 2026/04/20
tags:
  - attack.t1562.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators clearing event logs during troubleshooting or after resolving known issues with full change control documentation
  - Log rotation scripts that archive and clear old event logs on a scheduled basis
  - SIEM agents or log forwarders that modify event log settings during initial deployment or reconfiguration
level: critical