Disable of ETW Trace - Powershell
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
Sigma rule (View on GitHub)
1title: Disable of ETW Trace - Powershell
2id: 115fdba9-f017-42e6-84cf-d5573bf2ddf8
3related:
4 - id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
5 type: derived
6status: test
7description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
8references:
9 - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/06/28
12modified: 2022/11/25
13tags:
14 - attack.defense_evasion
15 - attack.t1070
16 - attack.t1562.006
17 - car.2016-04-002
18logsource:
19 product: windows
20 category: ps_script
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection_pwsh_remove: # Autologger provider removal
24 ScriptBlockText|contains: 'Remove-EtwTraceProvider '
25 selection_pwsh_set: # Provider “Enable” property modification
26 ScriptBlockText|contains|all:
27 - 'Set-EtwTraceProvider '
28 - '0x11'
29 condition: 1 of selection*
30falsepositives:
31 - Unknown
32level: high
References
-
Event Tracing for Windows (ETW) is the mechanism Windows uses to trace and log system events. Attackers often clear event logs to cover…
Read More
Related rules
- Disable of ETW Trace
- DLL Load By System Process From Suspicious Locations
- Okta User Session Start Via An Anonymising Proxy Service
- Fsutil Suspicious Invocation
- Suspicious Eventlog Clear or Configuration Change