EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Windows Event Logging Service Has Shutdown

The following analytic detects the shutdown of the Windows Event Log service by leveraging Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is crucial as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, an attacker could hide their activities, making it difficult to trace their actions and investigate further incidents. Analysts should verify if the shutdown was planned and review other alerts and data sources for additional suspicious behavior.

MITRE ATT&CK

T1070.001

Detection Query

`wineventlog_security` EventCode=1100
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY action app change_type
       dest dvc name
       object_attrs object_category service
       service_name signature signature_id
       status subject vendor_product
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_event_logging_service_has_shutdown_filter`

Author

Mauricio Velazco, Splunk

Created

2026-02-25

Data Sources

Windows Event Log Security 1100

References

Tags

Windows Log ManipulationRansomwareClop RansomwareScattered Lapsus$ Hunters
Raw Content
name: Windows Event Logging Service Has Shutdown
id: d696f622-6b08-4336-b456-696cb5b43ba0
version: 5
date: '2026-02-25'
author: Mauricio Velazco, Splunk
status: production
type: Hunting
description: The following analytic detects the shutdown of the Windows Event Log service by leveraging Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is crucial as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, an attacker could hide their activities, making it difficult to trace their actions and investigate further incidents. Analysts should verify if the shutdown was planned and review other alerts and data sources for additional suspicious behavior.
data_source:
    - Windows Event Log Security 1100
search: |-
    `wineventlog_security` EventCode=1100
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY action app change_type
           dest dvc name
           object_attrs object_category service
           service_name signature signature_id
           status subject vendor_product
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_event_logging_service_has_shutdown_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Windows event logs from your hosts. In addition, the Splunk Windows TA is needed.
known_false_positives: It is possible the Event Logging service gets shut down due to system errors or legitimate administration tasks. Investigate the cause of this issue and apply additional filters as needed.
references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100
    - https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads
    - https://attack.mitre.org/techniques/T1070/001/
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md
tags:
    analytic_story:
        - Windows Log Manipulation
        - Ransomware
        - Clop Ransomware
        - Scattered Lapsus$ Hunters
    asset_type: Endpoint
    mitre_attack_id:
        - T1070.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/windows-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog