ETW Trace Evasion Activity

calendar Jul 17, 2024 · attack.defense_evasion attack.t1070 attack.t1562.006 car.2016-04-002  ·
Share on: linkedin copy

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

Sigma rule (View on GitHub)

 1title: ETW Trace Evasion Activity
 2id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
 3status: test
 4description: |
 5        Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
 6references:
 7    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
 8    - https://abuse.io/lockergoga.txt
 9    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
10author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
11date: 2019/03/22
12modified: 2022/06/28
13tags:
14    - attack.defense_evasion
15    - attack.t1070
16    - attack.t1562.006
17    - car.2016-04-002
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_clear_1:
23        CommandLine|contains|all:
24            - 'cl'
25            - '/Trace'
26    selection_clear_2:
27        CommandLine|contains|all:
28            - 'clear-log'
29            - '/Trace'
30    selection_disable_1:
31        CommandLine|contains|all:
32            - 'sl'
33            - '/e:false'
34    selection_disable_2:
35        CommandLine|contains|all:
36            - 'set-log'
37            - '/e:false'
38    selection_disable_3:   # ETW provider removal from a trace session
39        CommandLine|contains|all:
40            - 'logman'
41            - 'update'
42            - 'trace'
43            - '--p'
44            - '-ets'
45    selection_pwsh_remove:   # Autologger provider removal
46        CommandLine|contains: 'Remove-EtwTraceProvider'
47    selection_pwsh_set:   # Provider “Enable” property modification
48        CommandLine|contains|all:
49            - 'Set-EtwTraceProvider'
50            - '0x11'
51    condition: 1 of selection_*
52falsepositives:
53    - Unknown
54level: high

References

  • wevtutil

    Reference article for wevtutil, which lets you retrieve information about event logs and publishers.


    Read More

  • TLP-WHITE - Free to share last updated on 05-04-2019 23.30 CET by PO (Note: Added Fireeye report) Note: If you have questions or additional public information to share, drop us a line at cert@abuse...


    Read More

  • Tampering with Windows Event Tracing: Background, Offense, and Defense

    Event Tracing for Windows (ETW) is the mechanism Windows uses to trace and log system events. Attackers often clear event logs to cover…


    Read More

Related rules

to-top