Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Huseyin Can YUCEEL | March 17, 2025 | 3 MIN READ

LAST UPDATED ON MARCH 17, 2025

MITRE ATT&CK T1562.002 Impair Defenses: Disable Windows Event Logging

Disable Windows Event Logging is a defense evasion technique that adversaries use to disable or manipulate Windows event logs. Windows Event Logging is a critical security feature that records system activity, including login attempts, process execution, and security policy changes. Security teams rely on these logs for threat hunting, incident response, and forensic investigations. By disabling or modifying event logging, attackers can cover their tracks, making it significantly harder for defenders to detect, investigate, and respond to malicious activity.

In this blog post, we explain the T1562.002 Disable Windows Event Logging technique of the MITRE ATT&CK® framework and explore how adversaries employ Disable Windows Event Logging with real-world attack examples in detail.

rr25-mockup1

 

  


The Red Report 2025
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

GET THE REPORT


What is Windows Event Logging?

Windows Event Logging is a centralized mechanism for recording system and application events in the Windows operating system.  Windows event logs record the operating system, application, security, setup, hardware, and user events that are used by the administrators to diagnose system problems and are used by security tools and analysts to analyze security issues. Logged Windows events, such as application installations, login attempts, elevated privileges, and created processes, are great sources for detecting anomalies that may indicate cyber attacks.

Adversary Use of Disable Windows Event Logging

Adversaries recognize the significance of event logs in leaving traces of their activities, which can be leveraged by administrators and security professionals to detect and respond to security incidents. Adversaries subvert the fundamental logging mechanism to decrease collected logs for security audits and, accordingly, the detection rate. 

By stopping or disabling the Windows Event Log service, adversaries can effectively halt the logging process, preventing critical information about their activities from being recorded. This covert action is particularly dangerous as it allows adversaries to operate within a system's environment with reduced visibility, making it challenging for defenders to identify and thwart their malicious actions.

Adversaries may target system-wide logging or logging for particular applications. 

//Command shell example for stopping system-wide logging

sc config eventlog start=disabled

//PowerShell example for stopping system-wide logging

Stop-Service -Name EventLog

In May 2024, GhostEngine cryptominer malware was reported to use the Windows Events Command Line Utility "wevutil.exe" to delete certain types of Windows Event logs [1].

wevtutil.exe cl Microsoft-Windows-AppModel-Runtime/Operation
wevtutil.exe cl Microsoft-Windows-Diagnostics-Performance
wevtutil.exe cl "Forwarded Events"
wevtutil.exe cl System

wevtutil.exe cl Setup

wevtutil.exe cl Security

In some cases, adversaries may disrupt certain logging functions to suppress or alter logs. Mallox ransomware uses the EtwEventWrite Patching technique to disable the generation of logging events, leaving gaps in telemetry and blinding security teams to potentially malicious actions [2]. 

IntPtr intPtr = WrapperClientManager.LoadLibrary("ntdll.dll");
if (intPtr == IntPtr.Zero)

{
 throw new Exception();

}
IntPtr procAddress = WrapperClientManager.GetProcAddress(intPtr, "EtwEventWrite");
if (procAddress == IntPtr.Zero)
{

throw new Exception();

}
byte[] array = this.IncludeAttribute();
if (array == null)
{

throw new Exception;
}

uint num;
if (!ProcessorContextCandidate.m_Writer(procAddress, array.Length, 64U, out num))

Another technique involves modifying the Windows Registry, a central repository of system settings and configurations. Adversaries may manipulate specific Registry entries associated with event logging, thereby disabling or altering the default logging behavior. This method provides them with a stealthy means to erase their digital footprints and evade the watchful eyes of security measures relying on event logs for anomaly detection. 

Moreover, adversaries may deploy more sophisticated tactics, such as leveraging privileges to modify Group Policy settings related to event logging. Group Policy is a powerful tool in Windows environments, allowing administrators to define and enforce security policies across a network. Adversaries seeking to cover their tracks may exploit vulnerabilities or employ privilege escalation techniques to modify Group Policy settings, effectively suppressing the generation of crucial event log entries.

Ready to Simulate Real-World Threats from Red Report 2025?

References

[1] S. Bitam, S. Bousseaden, T. DeJesus, and A. Pease, "Invisible miners: unveiling GHOSTENGINE's crypto mining operations." https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine

[2] T. D. R. Sekoia, J. Scion, L. Tibirna, P. Le Bourhis, and S. T. J. S. L. T. A. P. Le Bourhis, "Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaigns," Sekoia.io Blog. https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/

Table of Contents

MITRE ATT&CK T1562.009 Impair Defenses: Safe Mode Boot
MITRE ATT&CK MITRE ATT&CK T1562.009 Impair Defenses: Safe Mode Boot
Learn More
MITRE ATT&CK T1562.008 Impair Defenses: Disable or Modify Cloud Logs
MITRE ATT&CK MITRE ATT&CK T1562.008 Impair Defenses: Disable or Modify Cloud Logs
Learn More
MITRE ATT&CK T1562.007 Impair Defenses: Disable or Modify Cloud Firewall
MITRE ATT&CK MITRE ATT&CK T1562.007 Impair Defenses: Disable or Modify Cloud Firewall
Learn More
MITRE ATT&CK T1562.006 Impair Defenses: Indicator Blocking
MITRE ATT&CK MITRE ATT&CK T1562.006 Impair Defenses: Indicator Blocking
Learn More
MITRE ATT&CK T1562.004 Impair Defenses: Disable or Modify System Firewall
MITRE ATT&CK MITRE ATT&CK T1562.004 Impair Defenses: Disable or Modify System Firewall
Learn More
MITRE ATT&CK T1562.002 Impair Defenses: Disable Windows Event Logging
MITRE ATT&CK MITRE ATT&CK T1562.002 Impair Defenses: Disable Windows Event Logging
Learn More
MITRE ATT&CK T1562.001 Impair Defenses: Disable or Modify Tools
MITRE ATT&CK MITRE ATT&CK T1562.001 Impair Defenses: Disable or Modify Tools
Learn More
MITRE ATT&CK T1562.003 Impair Defenses: Impair Command History Logging
MITRE ATT&CK MITRE ATT&CK T1562.003 Impair Defenses: Impair Command History Logging
Learn More
impair defenses
MITRE ATT&CK MITRE ATT&CK T1562 Impair Defenses
Learn More