T1562.002 Disable Windows Event Logging Mappings

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.

Adversaries may targeting system-wide logging or just that of a particular application. By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1562.002 Disable Windows Event Logging
AC-3 Access Enforcement Protects T1562.002 Disable Windows Event Logging
AC-5 Separation of Duties Protects T1562.002 Disable Windows Event Logging
AC-6 Least Privilege Protects T1562.002 Disable Windows Event Logging
CA-7 Continuous Monitoring Protects T1562.002 Disable Windows Event Logging
CM-2 Baseline Configuration Protects T1562.002 Disable Windows Event Logging
CM-5 Access Restrictions for Change Protects T1562.002 Disable Windows Event Logging
CM-6 Configuration Settings Protects T1562.002 Disable Windows Event Logging
CM-7 Least Functionality Protects T1562.002 Disable Windows Event Logging
IA-2 Identification and Authentication (organizational Users) Protects T1562.002 Disable Windows Event Logging
SI-3 Malicious Code Protection Protects T1562.002 Disable Windows Event Logging
SI-4 System Monitoring Protects T1562.002 Disable Windows Event Logging
SI-7 Software, Firmware, and Information Integrity Protects T1562.002 Disable Windows Event Logging
azure_sentinel Azure Sentinel technique_scores T1562.002 Disable Windows Event Logging