Disable Windows Event Logging

Disable Windows Event Logging [T1562.002]

Information

Name: Disable Windows Event Logging
ID: T1562.002
Tactics:
Technique:

Introduction

Disabling Windows Event Logging (T1562.002) is a sub-technique of the MITRE ATT&CK framework under the Impair Defenses (T1562) technique. Attackers use this method to impair defensive mechanisms by preventing the logging of security events, thus hindering detection, forensic analysis, and incident response efforts. Windows Event Logging is a primary source of security information that organizations rely on to monitor system health, security incidents, and suspicious activities. By disabling or tampering with these logs, adversaries can obscure their activities and maintain persistence undetected.

Deep Dive Into Technique

Attackers can disable or manipulate Windows Event Logging through several methods:

Stopping Windows Event Log Service:
- Attackers may stop or disable the "Windows Event Log" (EventLog) service using built-in Windows utilities such as sc.exe, net.exe, or PowerShell commands:
  net stop eventlog sc config eventlog start= disabled
- Alternatively, PowerShell commands can be used:
  Set-Service -Name eventlog -StartupType Disabled Stop-Service -Name eventlog -Force
Registry Modification:
- Modifying registry keys related to event logging to disable or alter logging behavior:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
- Attackers may delete or alter values within this key, effectively disabling logging or limiting the information recorded.
Manipulating Event Log Channels:
- Using built-in Windows utilities like wevtutil.exe to disable specific event log channels:
  wevtutil sl Security /e:false
- This command specifically disables the Security event log channel, preventing critical security events from being recorded.
Corrupting Event Logs:
- Attackers may deliberately corrupt event log files (.evtx) to prevent proper log parsing and analysis.
- This can be done by overwriting or deleting event log files located typically in %SystemRoot%\System32\winevt\Logs.
Third-party Tools and Malware:
- Specialized malware or penetration testing tools can automate the disabling of event logging to evade detection during attacks.

When this Technique is Usually Used

Attackers commonly employ this sub-technique during various stages of an attack lifecycle, including:

Initial Access and Post-Exploitation:
- Immediately after gaining initial access, attackers may disable logging to avoid detection during lateral movement and privilege escalation.
Persistence and Privilege Escalation:
- Attackers aiming to establish persistent access or escalate privileges often disable logs to conceal their activities from security monitoring systems.
Credential Access and Lateral Movement:
- During credential harvesting or lateral movement, attackers disable event logging to hide evidence of their actions, such as failed login attempts or unusual network connections.
Defense Evasion and Impact:
- Particularly during ransomware attacks or destructive cyber-attacks, adversaries disable logging to prevent defenders from quickly understanding the scope or method of compromise, thus prolonging incident response times.

How this Technique is Usually Detected

Organizations can detect attempts to disable Windows Event Logging through multiple methods and tools:

Monitoring Windows Services:
- Continuously monitor the status of the Windows Event Log service (EventLog) for unusual stoppages or configuration changes.
- Tools such as Windows Defender ATP, Sysmon, and Endpoint Detection and Response (EDR) solutions can alert on service manipulation.
Registry Auditing and Monitoring:
- Enable auditing of registry keys related to event logging (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog) to detect unauthorized modifications.
- SIEM solutions like Splunk, QRadar, or Elastic Security can correlate registry event logs to identify suspicious changes.
Process Execution Monitoring:
- Monitor execution of suspicious commands (wevtutil.exe, sc.exe, net.exe, PowerShell commands) that disable logging.
- Sysmon or EDR tools can generate alerts when such commands are executed, especially from unusual or unauthorized processes.
File Integrity Monitoring:
- Implement file integrity monitoring (FIM) on event log files (.evtx) to detect unauthorized deletion, corruption, or modification.
Indicators of Compromise (IoCs):
- Sudden loss of event log data or gaps in logging timelines.
- Unexpected disabling or stopping of logging services.
- Specific Windows Event IDs related to service stoppage or registry modifications:
  - Event ID 7036 (Service Control Manager): Logs when services are stopped or started.
  - Event ID 7040 (Service Control Manager): Logs changes to service configurations.

Why it is Important to Detect This Technique

Early detection of attempts to disable Windows Event Logging is critical due to the following reasons:

Loss of Visibility:
- Disabling logs severely hampers an organization's ability to detect ongoing threats, investigate security incidents, and respond effectively.
Delayed Incident Response:
- Without proper logs, incident responders lose valuable forensic data, significantly delaying identification, containment, and remediation of security breaches.
Increased Attack Success Rate:
- Attackers who successfully disable logging can operate covertly, escalating privileges, exfiltrating data, or causing significant damage without detection.
Compliance and Regulatory Risks:
- Many regulatory frameworks (such as PCI DSS, HIPAA, GDPR) mandate maintaining accurate and reliable security logs. Disabling logging can lead to regulatory non-compliance, fines, and penalties.
Operational Impact:
- Organizations rely on event logs for troubleshooting, operational monitoring, and system health checks. Disabling logs can negatively impact IT operations and system reliability.

Examples

Real-world examples and scenarios involving disabling of Windows Event Logging:

NotPetya Ransomware Attack (2017):
- During the NotPetya attack, adversaries disabled Windows security event logging using built-in Windows utilities (wevtutil.exe) to prevent defenders from quickly identifying the scope and nature of the attack.
- Impact: Massive disruption to global businesses, causing billions of dollars in damages.
APT29 (Cozy Bear) Operations:
- APT29 has been known to disable Windows Event Logs or clear log entries to hide evidence of lateral movement, credential harvesting, and persistence techniques.
- Tools used: PowerShell scripts, custom malware, and native Windows utilities.
FIN8 Cybercrime Group:
- FIN8 has been observed disabling Windows Event Logging during attacks against retail and hospitality sectors to conceal their presence, evade detection, and facilitate theft of payment card data.
- Techniques: Service stoppage (sc.exe), registry modification, and log deletions.
Ryuk Ransomware Attacks:
- Attackers deploying Ryuk ransomware have been known to disable event logging to obscure their activities and delay detection and response efforts, increasing the effectiveness and impact of their attacks.
- Commands used include:
  wevtutil cl Security net stop eventlog
- Impact: Significant disruption to hospitals, municipalities, and organizations worldwide, leading to operational downtime and financial losses.

Last updated 1 month ago

Introduction

Deep Dive Into Technique

Attackers can disable or manipulate Windows Event Logging through several methods:

Stopping Windows Event Log Service:

Attackers may stop or disable the "Windows Event Log" (EventLog) service using built-in Windows utilities such as sc.exe, net.exe, or PowerShell commands:
```
net stop eventlog
sc config eventlog start= disabled
```

Alternatively, PowerShell commands can be used:

Set-Service -Name eventlog -StartupType Disabled
Stop-Service -Name eventlog -Force

Registry Modification:

Modifying registry keys related to event logging to disable or alter logging behavior:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
```
Attackers may delete or alter values within this key, effectively disabling logging or limiting the information recorded.

Manipulating Event Log Channels:

Using built-in Windows utilities like wevtutil.exe to disable specific event log channels:
```
wevtutil sl Security /e:false
```
This command specifically disables the Security event log channel, preventing critical security events from being recorded.

Corrupting Event Logs:

Attackers may deliberately corrupt event log files (.evtx) to prevent proper log parsing and analysis.
This can be done by overwriting or deleting event log files located typically in %SystemRoot%\System32\winevt\Logs.

Third-party Tools and Malware:

Specialized malware or penetration testing tools can automate the disabling of event logging to evade detection during attacks.

When this Technique is Usually Used

Attackers commonly employ this sub-technique during various stages of an attack lifecycle, including:

Initial Access and Post-Exploitation:

Immediately after gaining initial access, attackers may disable logging to avoid detection during lateral movement and privilege escalation.

Persistence and Privilege Escalation:

Attackers aiming to establish persistent access or escalate privileges often disable logs to conceal their activities from security monitoring systems.

Credential Access and Lateral Movement:

During credential harvesting or lateral movement, attackers disable event logging to hide evidence of their actions, such as failed login attempts or unusual network connections.

Defense Evasion and Impact:

Particularly during ransomware attacks or destructive cyber-attacks, adversaries disable logging to prevent defenders from quickly understanding the scope or method of compromise, thus prolonging incident response times.

How this Technique is Usually Detected

Organizations can detect attempts to disable Windows Event Logging through multiple methods and tools:

Monitoring Windows Services:

Continuously monitor the status of the Windows Event Log service (EventLog) for unusual stoppages or configuration changes.
Tools such as Windows Defender ATP, Sysmon, and Endpoint Detection and Response (EDR) solutions can alert on service manipulation.

Registry Auditing and Monitoring:

Enable auditing of registry keys related to event logging (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog) to detect unauthorized modifications.
SIEM solutions like Splunk, QRadar, or Elastic Security can correlate registry event logs to identify suspicious changes.

Process Execution Monitoring:

Monitor execution of suspicious commands (wevtutil.exe, sc.exe, net.exe, PowerShell commands) that disable logging.
Sysmon or EDR tools can generate alerts when such commands are executed, especially from unusual or unauthorized processes.

File Integrity Monitoring:

Implement file integrity monitoring (FIM) on event log files (.evtx) to detect unauthorized deletion, corruption, or modification.

Indicators of Compromise (IoCs):

Sudden loss of event log data or gaps in logging timelines.
Unexpected disabling or stopping of logging services.
Specific Windows Event IDs related to service stoppage or registry modifications:
- Event ID 7036 (Service Control Manager): Logs when services are stopped or started.
- Event ID 7040 (Service Control Manager): Logs changes to service configurations.

Why it is Important to Detect This Technique

Early detection of attempts to disable Windows Event Logging is critical due to the following reasons:

Loss of Visibility:

Disabling logs severely hampers an organization's ability to detect ongoing threats, investigate security incidents, and respond effectively.

Delayed Incident Response:

Without proper logs, incident responders lose valuable forensic data, significantly delaying identification, containment, and remediation of security breaches.

Increased Attack Success Rate:

Attackers who successfully disable logging can operate covertly, escalating privileges, exfiltrating data, or causing significant damage without detection.

Compliance and Regulatory Risks:

Many regulatory frameworks (such as PCI DSS, HIPAA, GDPR) mandate maintaining accurate and reliable security logs. Disabling logging can lead to regulatory non-compliance, fines, and penalties.

Operational Impact:

Organizations rely on event logs for troubleshooting, operational monitoring, and system health checks. Disabling logs can negatively impact IT operations and system reliability.

Examples

Real-world examples and scenarios involving disabling of Windows Event Logging:

NotPetya Ransomware Attack (2017):

During the NotPetya attack, adversaries disabled Windows security event logging using built-in Windows utilities (wevtutil.exe) to prevent defenders from quickly identifying the scope and nature of the attack.
Impact: Massive disruption to global businesses, causing billions of dollars in damages.

APT29 (Cozy Bear) Operations:

APT29 has been known to disable Windows Event Logs or clear log entries to hide evidence of lateral movement, credential harvesting, and persistence techniques.
Tools used: PowerShell scripts, custom malware, and native Windows utilities.

FIN8 Cybercrime Group:

FIN8 has been observed disabling Windows Event Logging during attacks against retail and hospitality sectors to conceal their presence, evade detection, and facilitate theft of payment card data.
Techniques: Service stoppage (sc.exe), registry modification, and log deletions.

Ryuk Ransomware Attacks:

Attackers deploying Ryuk ransomware have been known to disable event logging to obscure their activities and delay detection and response efforts, increasing the effectiveness and impact of their attacks.
Commands used include:
```
wevtutil cl Security
net stop eventlog
```
Impact: Significant disruption to hospitals, municipalities, and organizations worldwide, leading to operational downtime and financial losses.