Impair Defenses: Disable Windows Event Logging

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.[1] This data is used by security tools and analysts to generate detections.

The EventLog service maintains event logs from various system components and applications.[2] By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.[3][4] auditpol.exe may also be used to set audit policies.[5]

Adversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.[6] Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:"Account Logon" /success:disable /failure:disable turns off auditing for the Account Logon category.[7][8] To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.[8]

By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

ID: T1562.002
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: Administrator
Defense Bypassed: Log analysis
Contributors: Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team
Version: 1.1
Created: 21 February 2020
Last Modified: 19 October 2021

Procedure Examples

ID Name Description
G0016 APT29

APT29 used AUDITPOL to prevent the collection of audit logs.[9]

G0034 Sandworm Team

Sandworm Team has disabled event logging on compromised systems.[10]

G0027 Threat Group-3390

Threat Group-3390 has used appcmd.exe to disable logging on a victim server.[11]

S0645 Wevtutil

Wevtutil can be used to disable specific event logs on the system.[12]

Mitigations

ID Mitigation Description
M1047 Audit

Consider periodic review of auditpol settings for Administrator accounts and perform dynamic baselining on SIEM(s) to investigate potential malicious activity. Also ensure that the EventLog service and its threads are properly running.

M1022 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at C:\Windows\system32\Winevt\Logs[13], have the proper file permissions for limited, legitimate access and audit policies for detection.

M1024 Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging. The addition of the MiniNT registry key disables Event Viewer.[14]

M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0009 Process Process Creation
DS0012 Script Script Execution
DS0013 Sensor Health Host Status
DS0024 Windows Registry Windows Registry Key Creation

Monitor processes and command-line arguments for commands that can be used to disable logging. For example, Wevtutil, auditpol, sc stop EventLog, and offensive tooling (such as Mimikatz and Invoke-Phant0m) may be used to clear logs.[14][15]

In Event Viewer, Event ID 1102 under the "Security" Windows Log and Event ID 104 under the "System" Windows Log both indicate logs have been cleared.[14] Service Control Manager Event ID 7035 in Event Viewer may indicate the termination of the EventLog service.[15] Additionally, gaps in the logs, e.g. non-sequential Event Record IDs, may indicate that the logs may have been tampered.

Monitor the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control, which may disable Event Viewer.[14]

References