Disable or Modify Tools: Disable or Modify Windows Event Log T1685.001

Events covered

11 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 41 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (26 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Top indicator values (233 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Exclusions (75 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 28 rules

• Audit Policy Tampering Via Auditpol
• Audit Policy Tampering Via NT Resource Kit Auditpol
• Change Winevt Channel Access Permission Via Registry
• Disable Security Events Logging Adding Reg Key MiniNt
• Disable Windows Event Logging Via Registry
• Disable Windows IIS HTTP Logging
• ETW Logging/Processing Option Disabled On IIS Server
• EVTX Created In Uncommon Location
• Filter Driver Unloaded Via Fltmc.EXE
• Forest Blizzard APT - File Creation Activity
• Forest Blizzard APT - JavaScript Constrained File Creation
• HackTool - SharpEvtMute DLL Load
• HackTool - SharpEvtMute Execution
• HackTool - SysmonEnte Execution
• HTTP Logging Disabled On IIS Server
• Important Windows Event Auditing Disabled
• New Module Module Added To IIS Server
• Potential AutoLogger Sessions Tampering
• Potential EventLog File Location Tampering
• Potential Suspicious Activity Using SeCEdit
• Previously Installed IIS Module Was Removed
• Security Event Logging Disabled via MiniNt Registry Key - Process
• Security Event Logging Disabled via MiniNt Registry Key - Registry Set
• Suspicious Eventlog Clearing or Configuration Change Activity
• Suspicious Svchost Process Access
• Sysmon Driver Unloaded Via Fltmc.EXE
• Windows Event Auditing Disabled
• Windows EventLog Autologger Session Registry Modification Via CommandLine

Splunk 13 rules

• Cisco ASA - Logging Message Suppression
• Windows Audit Policy Auditing Option Disabled via Auditpol
• Windows Audit Policy Cleared via Auditpol
• Windows Audit Policy Disabled via Auditpol
• Windows Audit Policy Disabled via Legacy Auditpol
• Windows Audit Policy Excluded Category via Auditpol
• Windows Audit Policy Restored via Auditpol
• Windows Audit Policy Security Descriptor Tampering via Auditpol
• Windows Disable Windows Event Logging Disable HTTP Logging
• Windows Global Object Access Audit List Cleared Via Auditpol
• Windows New Custom Security Descriptor Set On EventLog Channel
• Windows New EventLog ChannelAccess Registry Value Set
• Windows PowerShell Disable HTTP Logging