EXPLORE
Sign In
← Back to Explore
T1685.001

Disable or Modify Windows Event Log

Adversaries may disable or modify the Windows Event Log to limit data that can be leveraged for detections and audits. Windows Event Log records user and system activity such as login attempts and process creation.(Citation: EventLog_Core_Technologies) This data is used by security tools and analysts to generate detections. The EventLog service maintains event logs from various system components and applications. By default, the service automatically starts when a system powers on. An audit po...

Windows
26
Detections
1
Sources
2
Threat Actors

BY SOURCE

26sigma

PROCEDURES (17)

Driver3 detections

Auto-extracted: 3 detections for driver

Service3 detections

Auto-extracted: 3 detections for service

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Registry2 detections

Auto-extracted: 2 detections for registry

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Tamper2 detections

Auto-extracted: 2 detections for tamper

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Driver1 detections

Auto-extracted: 1 detections for driver

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Event Log1 detections

Auto-extracted: 1 detections for event log

Http1 detections

Auto-extracted: 1 detections for http

Tamper1 detections

Auto-extracted: 1 detections for tamper

Http1 detections

Auto-extracted: 1 detections for http

Tamper1 detections

Auto-extracted: 1 detections for tamper

Process Access Monitoring1 detections

Auto-extracted: 1 detections for process access monitoring

THREAT ACTORS (2)

Magic HoundThreat Group-3390

DETECTIONS (26)

Audit Policy Tampering Via Auditpol
sigmahigh
Audit Policy Tampering Via NT Resource Kit Auditpol
sigmahigh
Change Winevt Channel Access Permission Via Registry
sigmahigh
Disable Security Events Logging Adding Reg Key MiniNt
sigmahigh
Disable Windows Event Logging Via Registry
sigmahigh
Disable Windows IIS HTTP Logging
sigmahigh
ETW Logging/Processing Option Disabled On IIS Server
sigmamedium
EVTX Created In Uncommon Location
sigmamedium
Filter Driver Unloaded Via Fltmc.EXE
sigmamedium
HackTool - SharpEvtMute DLL Load
sigmahigh
HackTool - SharpEvtMute Execution
sigmahigh
HackTool - SysmonEnte Execution
sigmahigh
HTTP Logging Disabled On IIS Server
sigmahigh
Important Windows Event Auditing Disabled
sigmahigh
New Module Module Added To IIS Server
sigmamedium
Potential AutoLogger Sessions Tampering
sigmahigh
Potential EventLog File Location Tampering
sigmahigh
Potential Suspicious Activity Using SeCEdit
sigmamedium
Previously Installed IIS Module Was Removed
sigmalow
Security Event Logging Disabled via MiniNt Registry Key - Process
sigmahigh
Security Event Logging Disabled via MiniNt Registry Key - Registry Set
sigmahigh
Suspicious Eventlog Clearing or Configuration Change Activity
sigmahigh
Suspicious Svchost Process Access
sigmahigh
Sysmon Driver Unloaded Via Fltmc.EXE
sigmahigh
Windows Event Auditing Disabled
sigmalow
Windows EventLog Autologger Session Registry Modification Via CommandLine
sigmahigh