EXPLORE
Sign In
← Back to Explore
sigmahighHunting

ETW Trace Evasion Activity

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

MITRE ATT&CK

T1070T1562.006
defense-evasion

Detection Query

selection_clear_1:
  CommandLine|contains|all:
    - cl
    - /Trace
selection_clear_2:
  CommandLine|contains|all:
    - clear-log
    - /Trace
selection_disable_1:
  CommandLine|contains|all:
    - sl
    - /e:false
selection_disable_2:
  CommandLine|contains|all:
    - set-log
    - /e:false
selection_disable_3:
  CommandLine|contains|all:
    - logman
    - update
    - trace
    - --p
    - -ets
selection_pwsh_remove:
  CommandLine|contains: Remove-EtwTraceProvider
selection_pwsh_set:
  CommandLine|contains|all:
    - Set-EtwTraceProvider
    - "0x11"
condition: 1 of selection_*

Author

@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community

Created

2019-03-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1070attack.t1562.006car.2016-04-002
Raw Content
title: ETW Trace Evasion Activity
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
status: test
description: |
    Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
    - https://abuse.io/lockergoga.txt
    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
date: 2019-03-22
modified: 2022-06-28
tags:
    - attack.defense-evasion
    - attack.t1070
    - attack.t1562.006
    - car.2016-04-002
logsource:
    category: process_creation
    product: windows
detection:
    selection_clear_1:
        CommandLine|contains|all:
            - 'cl'
            - '/Trace'
    selection_clear_2:
        CommandLine|contains|all:
            - 'clear-log'
            - '/Trace'
    selection_disable_1:
        CommandLine|contains|all:
            - 'sl'
            - '/e:false'
    selection_disable_2:
        CommandLine|contains|all:
            - 'set-log'
            - '/e:false'
    selection_disable_3:   # ETW provider removal from a trace session
        CommandLine|contains|all:
            - 'logman'
            - 'update'
            - 'trace'
            - '--p'
            - '-ets'
    selection_pwsh_remove:   # Autologger provider removal
        CommandLine|contains: 'Remove-EtwTraceProvider'
    selection_pwsh_set:   # Provider “Enable” property modification
        CommandLine|contains|all:
            - 'Set-EtwTraceProvider'
            - '0x11'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high