1. Home
  2. Techniques
  3. Enterprise
  4. Impair Defenses
  5. Disable Windows Event Logging

Impair Defenses: Disable Windows Event Logging

ID Name
T1562.001 Disable or Modify Tools
T1562.002 Disable Windows Event Logging
T1562.003 Impair Command History Logging
T1562.004 Disable or Modify System Firewall
T1562.006 Indicator Blocking
T1562.007 Disable or Modify Cloud Firewall
T1562.008 Disable or Modify Cloud Logs
T1562.009 Safe Mode Boot
T1562.010 Downgrade Attack
T1562.011 Spoof Security Alerting
T1562.012 Disable or Modify Linux Audit System
T1562.013 Disable or Modify Network Device Firewall

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.[1] This data is used by security tools and analysts to generate detections.

The EventLog service maintains event logs from various system components and applications.[2] By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.[3][4] auditpol.exe may also be used to set audit policies.[5]

Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog).[6][7] Additionally, the service may be disabled by modifying the "Start" value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog then restarting the system for the change to take effect.[7]

There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security, then reboot the system to disable the Security EventLog.[8] Second, with Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application to disable the entire EventLog.[7]

Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:"Account Logon" /success:disable /failure:disable turns off auditing for the Account Logon category.[9][10] To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.[10]

By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

ID: T1562.002
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Windows
Contributors: Lucas Heiligenstein; Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team
Version: 1.4
Created: 21 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team disabled event logging on compromised systems.[11]
C0038 HomeLand Justice

During HomeLand Justice, threat actors deleted Windows events and application logs.[12]
G0059 Magic Hound

Magic Hound has executed scripts to disable the event log service.[13]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29, used AUDITPOL to prevent the collection of audit logs.[14]
G0027 Threat Group-3390

Threat Group-3390 has used appcmd.exe to disable logging on a victim server.[15]
S0645 Wevtutil

Wevtutil can be used to disable specific event logs on the system.[16]

Mitigations

ID Mitigation Description
M1047 Audit

Consider periodic review of auditpol settings for Administrator accounts and perform dynamic baselining on SIEM(s) to investigate potential malicious activity. Also ensure that the EventLog service and its threads are properly running.
M1022 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at C:\Windows\system32\Winevt\Logs[17], have the proper file permissions for limited, legitimate access and audit policies for detection.

M1024 Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging. The addition of the MiniNT registry key disables Event Viewer.[18]
M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0187 Detect disabled Windows event logging AN0535

Detection of attempts to disable or tamper with Windows Event Logging. This includes stopping or disabling the EventLog service, modifying registry keys related to EventLog and Autologger, using auditpol or wevtutil to disable categories or clear audit policies, and detecting suspicious gaps or resets in event logs. Defenders observe registry changes, service state changes, process execution of disabling commands, and anomalies in event record sequences.

References

  1. Franklin Smith. (n.d.). Windows Security Log Events. Retrieved February 21, 2020.
  2. Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021.
  3. Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September 13, 2021.
  4. Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.
  5. Jason Gerend, et al. (2017, October 16). auditpol. Retrieved September 1, 2021.
  6. dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021.
  7. Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.
  8. Naceri, A. (2021, November 7). Windows Server 2019 file overwrite bug. Retrieved April 7, 2022.
  9. STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021.
  1. redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021.
  2. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  3. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  4. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  5. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  6. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  7. Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
  8. Forensics Wiki. (2021, June 19). Windows XML Event Log (EVTX). Retrieved September 13, 2021.
  9. Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021.