Disable Windows Event and Security Logs Using Built-in Tools
Elastic Stack Serverless Security
Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Defense Evasion
Version: 3
Rule authors:
- Elastic
- Ivan Ninichuck
- Austin Songer
Rule license: Elastic License v2
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
process where event.type in ("start", "process_started") and
((process.name:"logman.exe" or process.pe.original_file_name == "Logman.exe") and
process.args : "EventLog-*" and process.args : ("stop", "delete")) or
((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or process.pe.original_file_name in
("pwsh.exe", "powershell.exe", "powershell_ise.exe")) and
process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled") or
((process.name:"auditpol.exe" or process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable")
Framework: MITRE ATT&CKTM
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Indicator Removal on Host
- ID: T1070
- Reference URL: https://attack.mitre.org/techniques/T1070/
Sub-technique:
- Name: Clear Windows Event Logs
- ID: T1070.001
- Reference URL: https://attack.mitre.org/techniques/T1070/001/