detection.wiki

Detection rules › Sigma

ETW Trace Evasion Activity

Severity
high
Author
@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
Source
upstream

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1070 Indicator Removal, T1562.006 Impair Defenses: Indicator Blocking

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: 1 of selection_clear_1

CommandLine|contains: '/Trace'
CommandLine|contains: cl

Stage 2: 1 of selection_clear_2

CommandLine|contains: '/Trace'
CommandLine|contains: clear-log

Stage 3: 1 of selection_disable_1

CommandLine|contains: '/e:false'
CommandLine|contains: sl

Stage 4: 1 of selection_disable_2

CommandLine|contains: '/e:false'
CommandLine|contains: set-log

Stage 5: 1 of selection_disable_3

CommandLine|contains: --p
CommandLine|contains: -ets
CommandLine|contains: logman
CommandLine|contains: trace
CommandLine|contains: update

Stage 6: 1 of selection_pwsh_remove

CommandLine|contains: Remove-EtwTraceProvider

Stage 7: 1 of selection_pwsh_set

CommandLine|contains: 0x11
CommandLine|contains: Set-EtwTraceProvider

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • --p
  • -ets
  • /Trace
  • /e:false
  • 0x11
  • Remove-EtwTraceProvider
  • Set-EtwTraceProvider
  • cl
  • clear-log
  • logman
  • set-log
  • sl
  • trace corpus 2 (sigma 2)
  • update corpus 2 (sigma 2)