← Back to ATT&CK index
T1562.002sub-technique
Impair Defenses: Disable Windows Event Logging
View on attack.mitre.org →7 syscalls implement this technique
- NtAccessCheckAndAuditAlarm
Performs a standard access check and writes an audit-alarm entry to the Security event log.
- NtAccessCheckByTypeAndAuditAlarm
Performs a typed access check and writes an audit-alarm entry to the Security event log.
- NtAccessCheckByTypeResultListAndAuditAlarm
Typed access check returning a per-type result list, while writing audit-alarm entries to the Security event log.
- NtPrivilegeObjectAuditAlarm
Emits a Security event-log entry reporting the use of one or more privileges on a specific object.
- NtPrivilegedServiceAuditAlarm
Emits a Security event-log entry reporting a privileged service operation (event 4673).
- NtCloseObjectAuditAlarm
Emits the Security event-log entry that pairs with an earlier audit-alarm open, marking a handle's close.
- NtDeleteObjectAuditAlarm
Emits the Security event-log entry that records the deletion of an audited object.