← Back to Explore
sigmahighHunting
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
Detection Query
selection_img:
- Image|endswith: \logman.exe
- OriginalFileName: Logman.exe
selection_action:
CommandLine|contains:
- "stop "
- "delete "
selection_service:
CommandLine|contains:
- Circular Kernel Context Logger
- EventLog-
- SYSMON TRACE
- SysmonDnsEtwSession
condition: all of selection*
Author
Florian Roth (Nextron Systems)
Created
2021-02-11
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1562.001attack.t1070.001
Raw Content
title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
id: cd1f961e-0b96-436b-b7c6-38da4583ec00
status: test
description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
references:
- https://twitter.com/0gtweet/status/1359039665232306183?s=21
- https://ss64.com/nt/logman.html
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2023-02-21
tags:
- attack.defense-evasion
- attack.t1562.001
- attack.t1070.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\logman.exe'
- OriginalFileName: 'Logman.exe'
selection_action:
CommandLine|contains:
- 'stop '
- 'delete '
selection_service:
CommandLine|contains:
- 'Circular Kernel Context Logger'
- 'EventLog-' # Cover multiple traces starting with EventLog-*
- 'SYSMON TRACE'
- 'SysmonDnsEtwSession'
condition: all of selection*
falsepositives:
- Legitimate deactivation by administrative staff
- Installer tools that disable services, e.g. before log collection agent installation
level: high