ETW Logging Disabled For SCM
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
Sigma rule (View on GitHub)
1title: ETW Logging Disabled For SCM
2id: 4f281b83-0200-4b34-bf35-d24687ea57c2
3status: test
4description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
5references:
6 - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-12-09
9modified: 2023-08-17
10tags:
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.t1112
14 - attack.t1562
15logsource:
16 product: windows
17 category: registry_set
18detection:
19 selection:
20 TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled'
21 Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1.
22 condition: selection
23falsepositives:
24 - Unknown
25level: low
References
-
Disclaimer: as I am aware that the given code examples can be dangerous for Etw-based EDR products - all code was made for least popular ve...
Read More
Related rules
- ETW Logging Disabled For rpcrt4.dll
- ETW Logging Disabled In .NET Processes - Registry
- ETW Logging Disabled In .NET Processes - Sysmon Registry
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry