ETW Logging Disabled For SCM
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
Sigma rule (View on GitHub)
1title: ETW Logging Disabled For SCM
2id: 4f281b83-0200-4b34-bf35-d24687ea57c2
3status: test
4description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
5references:
6 - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-12-09
9modified: 2023-08-17
10tags:
11 - attack.defense-evasion
12 - attack.t1112
13 - attack.t1562
14logsource:
15 product: windows
16 category: registry_set
17detection:
18 selection:
19 TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled'
20 Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1.
21 condition: selection
22falsepositives:
23 - Unknown
24level: low
References
-
Disclaimer: as I am aware that the given code examples can be dangerous for Etw-based EDR products - all code was made for least popular ve...
Read More
Related rules
- ETW Logging Disabled For rpcrt4.dll
- ETW Logging Disabled In .NET Processes - Registry
- ETW Logging Disabled In .NET Processes - Sysmon Registry
- AWS SecurityHub Findings Evasion
- Activate Suppression of Windows Security Center Notifications