ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Sigma rule (View on GitHub)
1title: ETW Trace Evasion Activity
2id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
3status: test
4description: |
5 Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
6references:
7 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
8 - https://abuse.io/lockergoga.txt
9 - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
10author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
11date: 2019-03-22
12modified: 2022-06-28
13tags:
14 - attack.stealth
15 - attack.defense-impairment
16 - attack.t1070
17 - attack.t1685
18 - car.2016-04-002
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_clear_1:
24 CommandLine|contains|all:
25 - 'cl'
26 - '/Trace'
27 selection_clear_2:
28 CommandLine|contains|all:
29 - 'clear-log'
30 - '/Trace'
31 selection_disable_1:
32 CommandLine|contains|all:
33 - 'sl'
34 - '/e:false'
35 selection_disable_2:
36 CommandLine|contains|all:
37 - 'set-log'
38 - '/e:false'
39 selection_disable_3: # ETW provider removal from a trace session
40 CommandLine|contains|all:
41 - 'logman'
42 - 'update'
43 - 'trace'
44 - '--p'
45 - '-ets'
46 selection_pwsh_remove: # Autologger provider removal
47 CommandLine|contains: 'Remove-EtwTraceProvider'
48 selection_pwsh_set: # Provider “Enable” property modification
49 CommandLine|contains|all:
50 - 'Set-EtwTraceProvider'
51 - '0x11'
52 condition: 1 of selection_*
53falsepositives:
54 - Unknown
55level: high
References
Related rules
- Disable of ETW Trace - Powershell
- Filter Driver Unloaded Via Fltmc.EXE
- Sysmon Driver Unloaded Via Fltmc.EXE
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- Microsoft Malware Protection Engine Crash