Windows Event Logging Service Auto-Start Disabled

Rule Info

Name
Windows Event Logging Service Auto-Start Disabled
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects service configuration modifications of event logging service to disable it. Windows Event Logging service is responsible for logging system events, that are critical for security monitoring and auditing. Disabling this service can prevent the logging of important security events, making it a potential indicator of malicious activity. Adversaries may use this technique to limit data available for detection and audits.
Reference
https://ptylu.github.io/content/report/report.html?report=25
Date
2025-04-09 00:00:00
Modified
None
Id
c8c0599a-4b19-493a-9ab8-89c5dd64e9cd
Tags
attack.defense-evasion attack.t1562.002 car.2022-03-001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022