Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
Sigma rule (View on GitHub)
1title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
2id: cd1f961e-0b96-436b-b7c6-38da4583ec00
3status: test
4description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
5references:
6 - https://twitter.com/0gtweet/status/1359039665232306183?s=21
7 - https://ss64.com/nt/logman.html
8author: Florian Roth (Nextron Systems)
9date: 2021-02-11
10modified: 2023-02-21
11tags:
12 - attack.defense-evasion
13 - attack.t1562.001
14 - attack.t1070.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\logman.exe'
21 - OriginalFileName: 'Logman.exe'
22 selection_action:
23 CommandLine|contains:
24 - 'stop '
25 - 'delete '
26 selection_service:
27 CommandLine|contains:
28 - 'Circular Kernel Context Logger'
29 - 'EventLog-' # Cover multiple traces starting with EventLog-*
30 - 'SYSMON TRACE'
31 - 'SysmonDnsEtwSession'
32 condition: all of selection*
33falsepositives:
34 - Legitimate deactivation by administrative staff
35 - Installer tools that disable services, e.g. before log collection agent installation
36level: high
References
-
LOGMAN.exe Manage Performance Monitor & performance logs from the command line. Syntax Logman [create | query | start | stop | delete | update | import | export] [options] Verbs: create Create a ne...
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility