Suspicious Attempts to Disable Windows Event Logging Service - Powershell

Rule Info

Name
Suspicious Attempts to Disable Windows Event Logging Service - Powershell
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to disable Windows Event Logging service through PowerShell using CimInstance or WmiObject or Set-Service. The Event Logging service is responsible for logging system events in Windows, which is critical for security monitoring and auditing. Disabling this service can prevent the logging of important security events, making it a potential indicator of malicious activity. Adversaries may use this technique to limit data available for detection and audits.
Reference
https://ptylu.github.io/content/report/report.html?report=25
Date
2025-04-09 00:00:00
Modified
None
Id
7a297541-68c5-4c8f-b3b4-8f8e81953ba9
Tags
attack.defense-evasion attack.t1562.002 car.2022-03-001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022