Windows Event Log Security

An attacker attempts to stop security services on a Windows endpoint using sc.exe, net.exe, or PowerShell Stop-Service cmdlet to weaken defenses for further malicious activity.

Detection of disabled audit policies on a Windows domain controller by monitoring Windows Security Event Logs for EventCode 4719, indicative of an attacker attempting to evade detection and potentially leading to data theft, privilege escalation, and full network compromise.