T1562.002: Disable Windows Event Logging

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections.

The EventLog service maintains event logs from various system components and applications. By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings. auditpol.exe may also be used to set audit policies.

Adversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog). Additionally, the service may be disabled by modifying the “Start” value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog then restarting the system for the change to take effect.

There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security, then reboot the system to disable the Security EventLog. Second, with Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application to disable the entire EventLog.

Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category. To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.

By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-1368: Disable_Sysmon: Sysmon was updated or disabled mitre_attck_defense_evasion: PT-CR-1208: EventLog_File_Substitute: The Windows Event Log file path is substituted to make the file unavailable mitre_attck_defense_evasion: PT-CR-1210: MiniNT_Key_Created: Windows Logging Service is disabled by creating the MiniNT registry Key mitre_attck_defense_evasion: PT-CR-2409: Sysmon_Blinding: Logging was stopped on a host. The security descriptor driver or Sysmon provider was modified for the Sysmon64.exe process to be denied access to \Device\SysmonDrv mitre_attck_defense_evasion: PT-CR-2192: Remote_EventLog_Crashing: A user crashed a service. An attacker can crash the Windows Event Log service on behalf of any user on any remote computer running Windows 10 or Windows Server 2022 in the same domain. The crash occurs in wevtsvc!VerifyUnicodeString when an attacker sends a malformed UNICODE_STRING object to the ElfrRegisterEventSourceW method exposed by the RPC-based EventLog Remoting Protocol.

Detection

ID	DS0013	Data source and component	Sensor Health: Host Status	Description	Monitor for logging, messaging that may disable Windows event logging to limit data that can be leveraged for detections and audits. For example, adversaries may modify the EventLog file path to a different file name and location.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments for commands that can be used to disable logging. For example, Wevtutil, auditpol, `sc stop EventLog`, `reg add`, `Set- or Stop-Service`, `Set- or New-ItemProperty`, `sc config`, and offensive tooling (such as Mimikatz and Invoke-Phant0m) may be used to clear logs and/or change the EventLog/audit policy.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer. Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. There are different ways to perform this attack. The first one is to create the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt. This action will not generate Security EventLog 4657 or Sysmon EventLog 13 because the value of the key remains empty. However, if an attacker uses powershell to perform this attack (and not cmd), a Security EventLog 4663 will be generated (but 4663 generates a lot of noise). The second way is to disable the service EventLog (display name Windows Event Log). After disabed, attacker must reboot the system. The action of disabling or put in manual the service will modify the Registry Key value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\start, therefore Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system. The third way is linked with the second. By default, the EventLog service cannot be stopped. If an attacker tries to stop the service, this one will restart immediately. Why ? Because to stop completely, this service must stop others, one in particular called netprofm (display name Network List Service). This service remains running until it is disabled. So Attacker must either disable EventLog and after to stop it or disable netprofm and after stop EventLog. Only stopping the service (even as admin) will not have an effect on the EventLog service because of the link with netprofm. Security EventLog 1100 will log the stop of the EventLog service (but also generates a lot of noise because it will generate a log everytime the system shutdown). The fourth way is to use auditpol.exe to modify the audit configuration and disable/modify important parameters that will lead to disable the creation of EventLog. The last one is to modify the Registry Key value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\file (or other kind of log) to modify the path where the EventLog are stocked. Importantly, with this technique, the EventViewer will use the value of the Registry Key “file” to know where to find the Log. Thus, using the EventViewer will always show the current event logs, but the old one will be stocked in another evtx. Also, the path must be in a folder that the Eventlog process has access (like it doesn’t work if attacker set up the new path in the Desktop). Attacker can also decrease the maxsize value of the Log to force the system to rewrite on the older EventLog (but the minimum cannot be less than 1028 KB). As the Registry key is modified, Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system. All of these attacks required administrative right. Attacks number three, four and five do not require a system reboot to be effective immediately. Analytic 1 - Disable Windows Event Logging `(source="WinEventLog:Security" EventCode IN (4657, 4719) OR source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13") (ObjectName="EventLog") (ObjectValueName="Start" OR ObjectValueName="File" OR ObjectValueName="MaxSize")`

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Creation	Description	Monitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer.

ID	DS0012	Data source and component	Script: Script Execution	Description	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly executed processes that may disable Windows event logging to limit data that can be leveraged for detections and audits. Analytic 1 - Disable Windows Event Logging (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") ((CommandLine="New-Item" OR CommandLine="reg add") CommandLine="MiniNt") OR (CommandLine="Stop-Service" CommandLine="EventLog") OR (CommandLine="EventLog" (CommandLine="Set-Service" OR CommandLine="reg add" OR CommandLine="Set-ItemProperty" OR CommandLine="New-ItemProperty" OR CommandLine="sc config")) OR (CommandLine="auditpol" (CommandLine="/set" OR CommandLine="/clear" OR CommandLine="/revove")) OR (CommandLine="wevtutil" (CommandLine="sl" OR CommandLine="set-log"))

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor for third-party application logging, messaging, and/or other artifacts provided by third-party services that may disable Windows event logging to limit data that can be leveraged for detections and audits.

ID	Data source and component	Description
DS0013	Sensor Health: Host Status	Monitor for logging, messaging that may disable Windows event logging to limit data that can be leveraged for detections and audits. For example, adversaries may modify the EventLog file path to a different file name and location.
DS0017	Command: Command Execution	Monitor executed commands and arguments for commands that can be used to disable logging. For example, Wevtutil, auditpol, `sc stop EventLog`, `reg add`, `Set- or Stop-Service`, `Set- or New-ItemProperty`, `sc config`, and offensive tooling (such as Mimikatz and Invoke-Phant0m) may be used to clear logs and/or change the EventLog/audit policy.
DS0024	Windows Registry: Windows Registry Key Modification	Monitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer. Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. There are different ways to perform this attack. The first one is to create the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt. This action will not generate Security EventLog 4657 or Sysmon EventLog 13 because the value of the key remains empty. However, if an attacker uses powershell to perform this attack (and not cmd), a Security EventLog 4663 will be generated (but 4663 generates a lot of noise). The second way is to disable the service EventLog (display name Windows Event Log). After disabed, attacker must reboot the system. The action of disabling or put in manual the service will modify the Registry Key value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\start, therefore Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system. The third way is linked with the second. By default, the EventLog service cannot be stopped. If an attacker tries to stop the service, this one will restart immediately. Why ? Because to stop completely, this service must stop others, one in particular called netprofm (display name Network List Service). This service remains running until it is disabled. So Attacker must either disable EventLog and after to stop it or disable netprofm and after stop EventLog. Only stopping the service (even as admin) will not have an effect on the EventLog service because of the link with netprofm. Security EventLog 1100 will log the stop of the EventLog service (but also generates a lot of noise because it will generate a log everytime the system shutdown). The fourth way is to use auditpol.exe to modify the audit configuration and disable/modify important parameters that will lead to disable the creation of EventLog. The last one is to modify the Registry Key value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\file (or other kind of log) to modify the path where the EventLog are stocked. Importantly, with this technique, the EventViewer will use the value of the Registry Key “file” to know where to find the Log. Thus, using the EventViewer will always show the current event logs, but the old one will be stocked in another evtx. Also, the path must be in a folder that the Eventlog process has access (like it doesn’t work if attacker set up the new path in the Desktop). Attacker can also decrease the maxsize value of the Log to force the system to rewrite on the older EventLog (but the minimum cannot be less than 1028 KB). As the Registry key is modified, Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system. All of these attacks required administrative right. Attacks number three, four and five do not require a system reboot to be effective immediately. Analytic 1 - Disable Windows Event Logging `(source="WinEventLog:Security" EventCode IN (4657, 4719) OR source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13") (ObjectName="EventLog") (ObjectValueName="Start" OR ObjectValueName="File" OR ObjectValueName="MaxSize")`
DS0024	Windows Registry: Windows Registry Key Creation	Monitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer.
DS0012	Script: Script Execution	Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
DS0009	Process: Process Creation	Monitor newly executed processes that may disable Windows event logging to limit data that can be leveraged for detections and audits. Analytic 1 - Disable Windows Event Logging (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") ((CommandLine="New-Item" OR CommandLine="reg add") CommandLine="MiniNt") OR (CommandLine="Stop-Service" CommandLine="EventLog") OR (CommandLine="EventLog" (CommandLine="Set-Service" OR CommandLine="reg add" OR CommandLine="Set-ItemProperty" OR CommandLine="New-ItemProperty" OR CommandLine="sc config")) OR (CommandLine="auditpol" (CommandLine="/set" OR CommandLine="/clear" OR CommandLine="/revove")) OR (CommandLine="wevtutil" (CommandLine="sl" OR CommandLine="set-log"))
DS0015	Application Log: Application Log Content	Monitor for third-party application logging, messaging, and/or other artifacts provided by third-party services that may disable Windows event logging to limit data that can be leveraged for detections and audits.

Mitigation

ID	M1018	Name	User Account Management	Description	Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.

ID	M1022	Name	Restrict File and Directory Permissions	Description	Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at `C:\Windows\system32\Winevt\Logs`, have the proper file permissions for limited, legitimate access and audit policies for detection.

ID	M1024	Name	Restrict Registry Permissions	Description	Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging. The addition of the MiniNT registry key disables Event Viewer.

ID	M1047	Name	Audit	Description	Consider periodic review of `auditpol` settings for Administrator accounts and perform dynamic baselining on SIEM(s) to investigate potential malicious activity. Also ensure that the EventLog service and its threads are properly running.

ID	Name	Description
M1018	User Account Management	Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.
M1022	Restrict File and Directory Permissions	Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at `C:\Windows\system32\Winevt\Logs`, have the proper file permissions for limited, legitimate access and audit policies for detection.
M1024	Restrict Registry Permissions	Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging. The addition of the MiniNT registry key disables Event Viewer.
M1047	Audit	Consider periodic review of `auditpol` settings for Administrator accounts and perform dynamic baselining on SIEM(s) to investigate potential malicious activity. Also ensure that the EventLog service and its threads are properly running.