Impair Defenses: Disable Windows Event Logging

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.[1] This data is used by security tools and analysts to generate detections.

Adversaries may targeting system-wide logging or just that of a particular application. By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

ID: T1562.002
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: Administrator
Data Sources: Process command-line parameters, Process monitoring, Windows event logs
Defense Bypassed: Log analysis
Version: 1.0
Created: 21 February 2020
Last Modified: 29 March 2020

Procedure Examples

Name Description
Ebury

Ebury has disabled logging when the backdoor is used.[2]

Threat Group-3390

Threat Group-3390 has used appcmd.exe to disable logging on a victim server.[3]

Mitigations

Mitigation Description
Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering logging.

Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging.

User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.

Detection

Monitor processes and command-line arguments for commands that can be used to disable logging. Lack of event logs may be suspicious.

References