Impair Defenses: Disable Windows Event Logging

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.[1] This data is used by security tools and analysts to generate detections.

The EventLog service maintains event logs from various system components and applications.[2] By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.[3][4] auditpol.exe may also be used to set audit policies.[5]

Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog).[6][7] Additionally, the service may be disabled by modifying the "Start" value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog then restarting the system for the change to take effect.[7]

There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security, then reboot the system to disable the Security EventLog.[8] Second, with Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application to disable the entire EventLog.[7]

Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:"Account Logon" /success:disable /failure:disable turns off auditing for the Account Logon category.[9][10] To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.[10]

By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

ID: T1562.002
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Windows
Defense Bypassed: Log analysis
Contributors: Lucas Heiligenstein; Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team
Version: 1.3
Created: 21 February 2020
Last Modified: 18 September 2023

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team disabled event logging on compromised systems.[11]

G0059 Magic Hound

Magic Hound has executed scripts to disable the event log service.[12]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29, used AUDITPOL to prevent the collection of audit logs.[13]

G0027 Threat Group-3390

Threat Group-3390 has used appcmd.exe to disable logging on a victim server.[14]

S0645 Wevtutil

Wevtutil can be used to disable specific event logs on the system.[15]

Mitigations

ID Mitigation Description
M1047 Audit

Consider periodic review of auditpol settings for Administrator accounts and perform dynamic baselining on SIEM(s) to investigate potential malicious activity. Also ensure that the EventLog service and its threads are properly running.

M1022 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at C:\Windows\system32\Winevt\Logs[16], have the proper file permissions for limited, legitimate access and audit policies for detection.

M1024 Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging. The addition of the MiniNT registry key disables Event Viewer.[17]

M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts provided by third-party services that may disable Windows event logging to limit data that can be leveraged for detections and audits.

DS0017 Command Command Execution

Monitor executed commands and arguments for commands that can be used to disable logging. For example, Wevtutil, auditpol, sc stop EventLog, reg add, Set- or Stop-Service, Set- or New-ItemProperty, sc config, and offensive tooling (such as Mimikatz and Invoke-Phant0m) may be used to clear logs and/or change the EventLog/audit policy.[17][18][7]

DS0009 Process Process Creation

Monitor newly executed processes that may disable Windows event logging to limit data that can be leveraged for detections and audits.

Analytic 1 - Disable Windows Event Logging

susp_processes = filter processes where ((command_line CONTAINS("New-Item") OR command_line CONTAINS("reg add")) OR command_line CONTAINS("MiniNt")) OR (command_line CONTAINS("Stop-Service")AND command_line CONTAINS("EventLog")) OR (command_line CONTAINS("EventLog") AND (command_line CONTAINS("Set-Service") OR command_line CONTAINS("reg add") OR command_line CONTAINS("Set-ItemProperty") OR command_line CONTAINS("New-ItemProperty") OR command_line CONTAINS("sc config"))) OR (command_line CONTAINS("auditpol") AND (command_line CONTAINS("/set") OR command_line CONTAINS("/clear") OR command_line CONTAINS("/revove"))) OR ((command_line CONTAINS("wevtutil") AND (command_line CONTAINS("sl") OR command_line CONTAINS("set-log"))))

DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

DS0013 Sensor Health Host Status

Monitor for logging, messaging that may disable Windows event logging to limit data that can be leveraged for detections and audits. For example, adversaries may modify the EventLog file path to a different file name and location.[7]

DS0024 Windows Registry Windows Registry Key Creation

Monitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer.[17][7]

Windows Registry Key Modification

Monitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer.[17]

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. There are different ways to perform this attack.1. The first one is to create the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt. This action will not generate Security EventLog 4657 or Sysmon EventLog 13 because the value of the key remains empty. However, if an attacker uses powershell to perform this attack (and not cmd), a Security EventLog 4663 will be generated (but 4663 generates a lot of noise).2. The second way is to disable the service EventLog (display name Windows Event Log). After disabed, attacker must reboot the system. The action of disabling or put in manual the service will modify the Registry Key value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\start, therefore Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system.3. The third way is linked with the second. By default, the EventLog service cannot be stopped. If an attacker tries to stop the service, this one will restart immediately. Why ? Because to stop completely, this service must stop others, one in particular called netprofm (display name Network List Service). This service remains running until it is disabled. So Attacker must either disable EventLog and after to stop it or disable netprofm and after stop EventLog. Only stopping the service (even as admin) will not have an effect on the EventLog service because of the link with netprofm. Security EventLog 1100 will log the stop of the EventLog service (but also generates a lot of noise because it will generate a log everytime the system shutdown).4. The fourth way is to use auditpol.exe to modify the audit configuration and disable/modify important parameters that will lead to disable the creation of EventLog.5. The last one is to modify the Registry Key value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\file (or other kind of log) to modify the path where the EventLog are stocked. Importantly, with this technique, the EventViewer will use the value of the Registry Key "file" to know where to find the Log. Thus, using the EventViewer will always show the current event logs, but the old one will be stocked in another evtx. Also, the path must be in a folder that the Eventlog process has access (like it doesn’t work if attacker set up the new path in the Desktop). Attacker can also decrease the maxsize value of the Log to force the system to rewrite on the older EventLog (but the minimum cannot be less than 1028 KB). As the Registry key is modified, Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system. All of these attacks required administrative right. Attacks number three, four and five do not require a system reboot to be effective immediately.

Analytic 1 - Disable Windows Event Logging

event_log_reg_keys = filter reg_keys where Key="EventLog" AND (value="Start" OR value="File" OR value="MaxSize")

References