Disable of ETW Trace - Powershell

Apr 28, 2026 · attack.stealth attack.defense-impairment attack.t1070 attack.t1685 car.2016-04-002 ·

Detects usage of powershell cmdlets to disable or remove ETW trace sessions

Sigma rule (View on GitHub)

 1title: Disable of ETW Trace - Powershell
 2id: 115fdba9-f017-42e6-84cf-d5573bf2ddf8
 3related:
 4    - id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
 5      type: derived
 6status: test
 7description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
 8references:
 9    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-06-28
12modified: 2022-11-25
13tags:
14    - attack.stealth
15    - attack.defense-impairment
16    - attack.t1070
17    - attack.t1685
18    - car.2016-04-002
19logsource:
20    product: windows
21    category: ps_script
22    definition: 'Requirements: Script Block Logging must be enabled'
23detection:
24    selection_pwsh_remove:   # Autologger provider removal
25        ScriptBlockText|contains: 'Remove-EtwTraceProvider '
26    selection_pwsh_set:   # Provider “Enable” property modification
27        ScriptBlockText|contains|all:
28            - 'Set-EtwTraceProvider '
29            - '0x11'
30    condition: 1 of selection*
31falsepositives:
32    - Unknown
33level: high

References

https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

Read More

Disable of ETW Trace - Powershell

Sigma rule (View on GitHub)

References

https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

Related rules