Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0535: Analytic 0535

Detection of attempts to disable or tamper with Windows Event Logging. This includes stopping or disabling the EventLog service, modifying registry keys related to EventLog and Autologger, using `auditpol` or `wevtutil` to disable categories or clear audit policies, and detecting suspicious gaps or resets in event logs. Defenders observe registry changes, service state changes, process execution of disabling commands, and anomalies in event record sequences.

EnterpriseAN0535AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because Windows Event Logging is a core source of evidence for security monitoring, incident response, audit reconstruction, and compliance support. Attempts to stop, disable, clear, or disrupt logging can reduce visibility exactly when defenders need it most. For leaders, the practical question is not only whether this activity can be detected, but whether the organization can prove that critical Windows logs remain available, complete, and monitored during an incident.

Executive priority

Treat this as a resilience and evidence-preservation control point. Security leaders should ask whether SOC and IR teams can detect tampering with Windows EventLog service state, relevant registry settings, audit policy changes, log-clearing commands, and suspicious event sequence gaps. This supports incident decision-making, audit defensibility, and prioritization of logging hardening where Windows systems are material to business operations.

Technical view

For Windows environments, validate collection and alerting around service state changes affecting EventLog, registry changes related to EventLog and Autologger, execution of utilities such as auditpol or wevtutil when used to weaken or clear auditing, and anomalies such as gaps or resets in event record sequences. Because no ATT&CK detection logic is supplied, teams should translate the description into local queries and test them against known administrative activity to separate expected maintenance from suspicious tampering.

Likely telemetry

  • Windows service state change events for the EventLog service
  • Windows registry modification events for EventLog and Autologger-related keys
  • Process execution telemetry for auditpol, wevtutil, and related command-line activity
  • Windows audit policy change evidence
  • Windows event log clear, reset, sequence gap, or unexpected interruption indicators

Detection direction

  • Confirm that endpoint and SIEM pipelines still receive telemetry when local logging is stopped, disabled, cleared, or misconfigured.
  • Tune for context: some audit policy and log maintenance actions may be legitimate when performed by authorized administrators or management tooling.
  • Correlate command execution, registry modification, service changes, and log sequence anomalies rather than relying on a single signal.
  • Validate coverage on representative Windows servers and workstations, especially systems that support critical business processes or privileged administration.
  • Look for blind spots where local-only logs could be removed before forwarding, or where logging health is not monitored as a first-class detection source.

Mitigation priorities

  • Prioritize centralized log forwarding and monitoring of log pipeline health for Windows systems.
  • Restrict and monitor administrative permissions capable of changing event logging, audit policy, service configuration, or relevant registry settings.
  • Establish change-control expectations for legitimate audit policy and logging configuration changes.
  • Retain sufficient event history outside the endpoint so incident responders can reconstruct activity if local logs are cleared or interrupted.
  • Periodically test whether SOC alerts fire for approved simulations of logging tamper conditions.
Analyst notes and limits

This object is a detection analytic, not a technique description, and no relationship context was supplied. The value is in using the ATT&CK description as a validation checklist for Windows logging integrity and monitoring readiness.

Official detection logic is not provided, tactics are not specified, and no related techniques, groups, campaigns, software, or mitigations were supplied. Local baselines, administrative processes, and telemetry architecture are required to determine alert thresholds and business risk.

Official MITRE ATT&CK definition

Analytic 0535

Detection of attempts to disable or tamper with Windows Event Logging. This includes stopping or disabling the EventLog service, modifying registry keys related to EventLog and Autologger, using `auditpol` or `wevtutil` to disable categories or clear audit policies, and detecting suspicious gaps or resets in event logs. Defenders observe registry changes, service state changes, process execution of disabling commands, and anomalies in event record sequences.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a0069510b21db398...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a0069510b21d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0535
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use