Disable Windows Event and Security Logs Using Built-in Tools
Attackers may attempt to disable Windows event logging to evade detection by using built-in tools like logman, PowerShell, and auditpol.
Attackers may disable Windows event logs to evade detection and hide their activities. This involves using built-in Windows utilities such as logman.exe, PowerShell (powershell.exe, pwsh.exe, powershell_ise.exe), and auditpol.exe to stop or disable the EventLog service or specific event logs. Disabling logging can prevent defenders from detecting malicious activity and hinder incident response efforts. This activity is usually associated with post-exploitation behavior. The tools mentioned are legitimate Windows binaries, making it harder to distinguish malicious use from legitimate administration. This rule detects the abuse of these tools.
Attack Chain
- The attacker gains initial access to the system (e.g., via phishing or exploit).
- The attacker executes
powershell.exeto disable the EventLog service using theSet-Servicecmdlet with theDisabledparameter. - Alternatively, the attacker executes
logman.exeto stop or delete specific EventLog traces, such asEventLog-*. - The attacker may use
auditpol.exewith the/success:disableargument to disable auditing policies. - The attacker performs malicious activities, such as lateral movement, privilege escalation, or data exfiltration.
- The attacker attempts to remove traces of their activity by deleting or disabling specific event logs using
logman.exe. - The attacker leverages PowerShell to further impair defenses by disabling security features.
- The attacker achieves their objective (e.g., data theft, system compromise) without being detected due to disabled logging.
Impact
Successful disabling of Windows event logs can severely hinder incident response and forensic investigations. It allows attackers to operate undetected, making it difficult to identify the scope of the compromise, the attacker's actions, and the data that was accessed or stolen. Without logs, security teams lose visibility into the attacker's activities, increasing dwell time and the potential for significant damage. Depending on the targeted system, impact could range from disabling logging on a single workstation to a domain controller affecting a whole environment.
Recommendation
- Deploy the Sigma rules in this brief to your SIEM to detect attempts to disable Windows event logging. Tune for your environment (see "Disable Windows Event and Security Logs Using Built-in Tools" rules).
- Monitor process creation events for the execution of
logman.exe,powershell.exe,pwsh.exe,powershell_ise.exe, andauditpol.exewith arguments related to disabling event logs (process_creation logsource). - Investigate any detected instances of these commands to determine if they are legitimate or malicious ("Disable Windows Event and Security Logs Using Built-in Tools" rules).
- Implement strict access controls and auditing policies to limit who can modify event logging configurations.
Detection coverage 3
Disable Windows Event Logs via Logman
mediumDetects attempts to disable Windows Event Logs using logman.exe.
Disable Windows Event Logs via PowerShell
mediumDetects attempts to disable Windows Event Logs using PowerShell.
Disable Windows Event Logs via Auditpol
mediumDetects attempts to disable Windows Event Logs using auditpol.exe.
Detection queries are available on the platform. Get full rules →