Disable of ETW Trace

Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.

Sigma rule (View on GitHub)

 1title: Disable of ETW Trace
 2id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
 3status: test
 4description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
 5references:
 6    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
 7    - https://abuse.io/lockergoga.txt
 8    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
 9author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
10date: 2019/03/22
11modified: 2022/06/28
12tags:
13    - attack.defense_evasion
14    - attack.t1070
15    - attack.t1562.006
16    - car.2016-04-002
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_clear_1:
22        CommandLine|contains|all:
23            - 'cl'
24            - '/Trace'
25    selection_clear_2:
26        CommandLine|contains|all:
27            - 'clear-log'
28            - '/Trace'
29    selection_disable_1:
30        CommandLine|contains|all:
31            - 'sl'
32            - '/e:false'
33    selection_disable_2:
34        CommandLine|contains|all:
35            - 'set-log'
36            - '/e:false'
37    selection_disable_3:   # ETW provider removal from a trace session
38        CommandLine|contains|all:
39            - 'logman'
40            - 'update'
41            - 'trace'
42            - '--p'
43            - '-ets'
44    selection_pwsh_remove:   # Autologger provider removal
45        CommandLine|contains: 'Remove-EtwTraceProvider'
46    selection_pwsh_set:   # Provider “Enable” property modification
47        CommandLine|contains|all:
48            - 'Set-EtwTraceProvider'
49            - '0x11'
50    condition: 1 of selection*
51falsepositives:
52    - Unknown
53level: high

References

Related rules

to-top