Home
ATT&CK Techniques
T1562.002 Disable Windows Event Logging

T1562.002 Disable Windows Event Logging Mappings

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.

The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to <code>Security Settings\Local Policies\Audit Policy</code> for basic audit policy settings or <code>Security Settings\Advanced Audit Policy Configuration</code> for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) <code>auditpol.exe</code> may also be used to set audit policies.(Citation: auditpol)

Adversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: <code>Stop-Service -Name EventLog</code>.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use <code>auditpol</code> and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the <code>/success</code> or <code>/failure</code> parameters. For example, <code>auditpol /set /category:”Account Logon” /success:disable /failure:disable</code> turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: <code>auditpol /clear /y</code> or <code>auditpol /remove /allusers</code>.(Citation: T1562.002_redcanaryco)

By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-2	Account Management	Protects	T1562.002	Disable Windows Event Logging
AC-3	Access Enforcement	Protects	T1562.002	Disable Windows Event Logging
AC-5	Separation of Duties	Protects	T1562.002	Disable Windows Event Logging
AC-6	Least Privilege	Protects	T1562.002	Disable Windows Event Logging
CA-7	Continuous Monitoring	Protects	T1562.002	Disable Windows Event Logging
CM-2	Baseline Configuration	Protects	T1562.002	Disable Windows Event Logging
CM-5	Access Restrictions for Change	Protects	T1562.002	Disable Windows Event Logging
CM-6	Configuration Settings	Protects	T1562.002	Disable Windows Event Logging
CM-7	Least Functionality	Protects	T1562.002	Disable Windows Event Logging
IA-2	Identification and Authentication (organizational Users)	Protects	T1562.002	Disable Windows Event Logging
SI-3	Malicious Code Protection	Protects	T1562.002	Disable Windows Event Logging
SI-4	System Monitoring	Protects	T1562.002	Disable Windows Event Logging
SI-7	Software, Firmware, and Information Integrity	Protects	T1562.002	Disable Windows Event Logging
action.hacking.variety.Disable controls	Disable or interfere with security controls	related-to	T1562.002	Disable Windows Event Logging
action.malware.variety.Disable controls	Disable or interfere with security controls	related-to	T1562.002	Disable Windows Event Logging