EXPLORE
Sign In
← Back to Explore
T1562.002

Disable Windows Event Logging

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections. The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when ...

Windows
42
Detections
3
Sources
2
Threat Actors

BY SOURCE

24sigma13splunk_escu5elastic

PROCEDURES (26)

Lateral6 detections

Auto-extracted: 6 detections for lateral

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Tamper3 detections

Auto-extracted: 3 detections for tamper

Http3 detections

Auto-extracted: 3 detections for http

Registry2 detections

Auto-extracted: 2 detections for registry

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Driver2 detections

Auto-extracted: 2 detections for driver

Process Access Monitoring1 detections

Auto-extracted: 1 detections for process access monitoring

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Script Block1 detections

Auto-extracted: 1 detections for script block

Registry1 detections

Auto-extracted: 1 detections for registry

Powershell1 detections

Auto-extracted: 1 detections for powershell

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Lateral1 detections

Auto-extracted: 1 detections for lateral

Lateral1 detections

Auto-extracted: 1 detections for lateral

Bypass1 detections

Auto-extracted: 1 detections for bypass

Script Block1 detections

Auto-extracted: 1 detections for script block

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Event Log1 detections

Auto-extracted: 1 detections for event log

Powershell1 detections

Auto-extracted: 1 detections for powershell

Http1 detections

Auto-extracted: 1 detections for http

Tamper1 detections

Auto-extracted: 1 detections for tamper

Tamper1 detections

Auto-extracted: 1 detections for tamper

Tamper1 detections

Auto-extracted: 1 detections for tamper

THREAT ACTORS (2)

Magic HoundThreat Group-3390

DETECTIONS (42)

Audit Policy Tampering Via Auditpol
sigmahigh
Audit Policy Tampering Via NT Resource Kit Auditpol
sigmahigh
Change Winevt Channel Access Permission Via Registry
sigmahigh
Cisco ASA - Logging Message Suppression
splunk_escu
Clearing Windows Event Logs
elasticlow
Disable Security Events Logging Adding Reg Key MiniNt
sigmahigh
Disable Windows Event and Security Logs Using Built-in Tools
elasticlow
Disable Windows Event Logging Via Registry
sigmahigh
Disable Windows IIS HTTP Logging
sigmahigh
ETW Logging/Processing Option Disabled On IIS Server
sigmamedium
EVTX Created In Uncommon Location
sigmamedium
Filter Driver Unloaded Via Fltmc.EXE
sigmamedium
HackTool - SharpEvtMute DLL Load
sigmahigh
HackTool - SharpEvtMute Execution
sigmahigh
HackTool - SysmonEnte Execution
sigmahigh
HTTP Logging Disabled On IIS Server
sigmahigh
IIS HTTP Logging Disabled
elastichigh
Important Windows Event Auditing Disabled
sigmahigh
New Module Module Added To IIS Server
sigmamedium
Potential EventLog File Location Tampering
sigmahigh
Potential Suspicious Activity Using SeCEdit
sigmamedium
PowerShell Script Block Logging Disabled
elasticmedium
Previously Installed IIS Module Was Removed
sigmalow
Security Event Logging Disabled via MiniNt Registry Key - Process
sigmahigh
Security Event Logging Disabled via MiniNt Registry Key - Registry Set
sigmahigh
Sensitive Audit Policy Sub-Category Disabled
elasticmedium
Suspicious Eventlog Clearing or Configuration Change Activity
sigmahigh
Suspicious Svchost Process Access
sigmahigh
Sysmon Driver Unloaded Via Fltmc.EXE
sigmahigh
Windows Audit Policy Auditing Option Disabled via Auditpol
splunk_escu
Windows Audit Policy Cleared via Auditpol
splunk_escu
Windows Audit Policy Disabled via Auditpol
splunk_escu
Windows Audit Policy Disabled via Legacy Auditpol
splunk_escu
Windows Audit Policy Excluded Category via Auditpol
splunk_escu
Windows Audit Policy Restored via Auditpol
splunk_escu
Windows Audit Policy Security Descriptor Tampering via Auditpol
splunk_escu
Windows Disable Windows Event Logging Disable HTTP Logging
splunk_escu
Windows Event Auditing Disabled
sigmalow
Windows Global Object Access Audit List Cleared Via Auditpol
splunk_escu
Windows New Custom Security Descriptor Set On EventLog Channel
splunk_escu
Windows New EventLog ChannelAccess Registry Value Set
splunk_escu
Windows PowerShell Disable HTTP Logging
splunk_escu