detection.wiki

ATT&CK coverage › Technique

Impair Defenses: Indicator Blocking T1562.006

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.

Events covered

5 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon13RegistryEvent (Value Set)
Security-Auditing4688A new process has been created.
Security-Auditing4719System audit policy was changed.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 7 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (10 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Details3eq 3, is_not_null 2DWORD (0x00000000), 0x00000000, 0x000000000, 0
CommandLine2match 2logman, /e:false, 0x11, sp , add
registry_path2eq 2"*\\SOFTWARE\\Microsoft\\.NETFramework*", "*\\Environment*"
registry_value_name2eq 2ETWEnabled, "COMPlus_ETWEnabled"
AuditPolicyChangesDescription1eq 1, in 1Success removed, Success Added
SubCategory1in 1Process Creation, Security Group Management, User Account Management
TargetObject1ends_with 1\Software\Microsoft\Windows Script\Settings\AmsiEnable
ScriptBlockText1match 1Set-EtwTraceProvider , Remove-EtwTraceProvider , 0x11
Image1ends_with 1\reg.exe, \powershell.exe, \pwsh.exe
OriginalFileName1eq 1PowerShell.EXE, reg.exe, pwsh.dll

Top indicator values (47 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
SubCategoryinOther System Events1
SubCategoryinLogon1
SubCategoryinProcess Creation1
AuditPolicyChangesDescriptioninSuccess Added1
AuditPolicyChangesDescriptioneqSuccess removed1
AuditPolicyChangesDescriptioninSuccess removed1
SubCategoryinSecurity Group Management1
SubCategoryinAudit Policy Change1
SubCategoryinUser Account Management1
TargetObjectends_with\Software\Microsoft\Windows Script\Settings\AmsiEnable1
DetailseqDWORD (0x00000000)138
ScriptBlockTextmatchSet-EtwTraceProvider 1
ScriptBlockTextmatchRemove-EtwTraceProvider 1
ScriptBlockTextmatch0x111
CommandLinematchset-log1
CommandLinematchlogman1
CommandLinematchSet-EtwTraceProvider1
CommandLinematch/Trace1
CommandLinematch--p1
CommandLinematch-ets1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 4 rules

Elastic 1 rule

Splunk 2 rules