car.2016-04-002 | Detection.FYI

Disable of ETW Trace - Powershell

Apr 28, 2026 · attack.stealth attack.defense-impairment attack.t1070 attack.t1685 car.2016-04-002 ·
Share on:

Detects usage of powershell cmdlets to disable or remove ETW trace sessions

Read More
ETW Trace Evasion Activity

Apr 28, 2026 · attack.stealth attack.defense-impairment attack.t1070 attack.t1685 car.2016-04-002 ·
Share on:

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

Read More
Eventlog Cleared

Apr 28, 2026 · attack.defense-impairment attack.t1685.005 car.2016-04-002 ·
Share on:

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Read More
Important Windows Eventlog Cleared

Apr 28, 2026 · attack.defense-impairment attack.t1685.005 car.2016-04-002 ·
Share on:

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Read More
NotPetya Ransomware Activity

Apr 28, 2026 · attack.stealth attack.defense-impairment attack.t1218.011 attack.t1685.005 attack.credential-access attack.t1003.001 car.2016-04-002 detection.emerging-threats ·
Share on:

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

Read More
Security Eventlog Cleared

Apr 28, 2026 · attack.defense-impairment attack.t1685.005 car.2016-04-002 ·
Share on:

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Read More
Suspicious Eventlog Clearing or Configuration Change Activity

Apr 28, 2026 · attack.defense-impairment attack.t1685.005 attack.t1685.001 car.2016-04-002 ·
Share on:

Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.

Read More