Impair Defenses: Disable Windows Event Logging

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.[1] This data is used by security tools and analysts to generate detections.

Adversaries may targeting system-wide logging or just that of a particular application. By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

ID: T1562.002
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: Administrator
Data Sources: Command: Command Execution, Sensor Health: Host Status
Defense Bypassed: Log analysis
Version: 1.0
Created: 21 February 2020
Last Modified: 29 March 2020

Procedure Examples

ID Name Description
G0016 APT29

APT29 used AUDITPOL to prevent the collection of audit logs.[2]

G0027 Threat Group-3390

Threat Group-3390 has used appcmd.exe to disable logging on a victim server.[3]

Mitigations

ID Mitigation Description
M1022 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering logging.

M1024 Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging.

M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.

Detection

Monitor processes and command-line arguments for commands that can be used to disable logging. Lack of event logs may be suspicious.

References