Impair Defenses: Disable Windows Event Logging
Other sub-techniques of Impair Defenses (7)
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections.
Adversaries may targeting system-wide logging or just that of a particular application. By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.
|Restrict File and Directory Permissions||
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering logging.
|Restrict Registry Permissions||
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging.
|User Account Management||
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.
Monitor processes and command-line arguments for commands that can be used to disable logging. Lack of event logs may be suspicious.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.