Disable of ETW Trace
Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
Sigma rule (View on GitHub)
1title: Disable of ETW Trace
2id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
3status: test
4description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
5references:
6 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
7 - https://abuse.io/lockergoga.txt
8 - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
9author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
10date: 2019/03/22
11modified: 2022/06/28
12tags:
13 - attack.defense_evasion
14 - attack.t1070
15 - attack.t1562.006
16 - car.2016-04-002
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_clear_1:
22 CommandLine|contains|all:
23 - 'cl'
24 - '/Trace'
25 selection_clear_2:
26 CommandLine|contains|all:
27 - 'clear-log'
28 - '/Trace'
29 selection_disable_1:
30 CommandLine|contains|all:
31 - 'sl'
32 - '/e:false'
33 selection_disable_2:
34 CommandLine|contains|all:
35 - 'set-log'
36 - '/e:false'
37 selection_disable_3: # ETW provider removal from a trace session
38 CommandLine|contains|all:
39 - 'logman'
40 - 'update'
41 - 'trace'
42 - '--p'
43 - '-ets'
44 selection_pwsh_remove: # Autologger provider removal
45 CommandLine|contains: 'Remove-EtwTraceProvider'
46 selection_pwsh_set: # Provider “Enable” property modification
47 CommandLine|contains|all:
48 - 'Set-EtwTraceProvider'
49 - '0x11'
50 condition: 1 of selection*
51falsepositives:
52 - Unknown
53level: high
References
Related rules
- Disable of ETW Trace - Powershell
- DLL Load By System Process From Suspicious Locations
- Okta User Session Start Via An Anonymising Proxy Service
- Fsutil Suspicious Invocation
- Suspicious Eventlog Clear or Configuration Change