Home/ MITRE Matrix/ Defense Evasion/ T1685.001

T1685.001Disable or Modify Windows Event Log

T1685.001 — Disable or Modify Windows Event Log is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 13 detection use cases covering it.

Defense Evasion

View on the matrix → Filter Detection Library MITRE official spec ↗

13Use cases

0Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1685 · Disable or Modify Tools

Use cases covering this technique (13)

Cisco ASA - Logging Message Suppression ESCU actions · hunting P Windows Audit Policy Auditing Option Disabled via Auditpol ESCU actions · alerting P Windows Audit Policy Cleared via Auditpol ESCU actions · alerting P Windows Audit Policy Disabled via Auditpol ESCU actions · hunting P Windows Audit Policy Disabled via Legacy Auditpol ESCU actions · hunting P Windows Audit Policy Excluded Category via Auditpol ESCU actions · hunting P Windows Audit Policy Restored via Auditpol ESCU actions · hunting P Windows Audit Policy Security Descriptor Tampering via Auditpol ESCU actions · hunting P Windows Disable Windows Event Logging Disable HTTP Logging ESCU actions · hunting P Windows Global Object Access Audit List Cleared Via Auditpol ESCU actions · alerting P Windows New Custom Security Descriptor Set On EventLog Channel ESCU actions · hunting P Windows New EventLog ChannelAccess Registry Value Set ESCU actions · hunting P Windows PowerShell Disable HTTP Logging ESCU actions · alerting P