Detectionhightest
ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.communityCreated Fri Mar 22Updated Tue Jun 28a238b5d0-ce2d-4414-a676-7a531b3d13d6windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic7 selectors
detection:
selection_clear_1:
CommandLine|contains|all:
- 'cl'
- '/Trace'
selection_clear_2:
CommandLine|contains|all:
- 'clear-log'
- '/Trace'
selection_disable_1:
CommandLine|contains|all:
- 'sl'
- '/e:false'
selection_disable_2:
CommandLine|contains|all:
- 'set-log'
- '/e:false'
selection_disable_3: # ETW provider removal from a trace session
CommandLine|contains|all:
- 'logman'
- 'update'
- 'trace'
- '--p'
- '-ets'
selection_pwsh_remove: # Autologger provider removal
CommandLine|contains: 'Remove-EtwTraceProvider'
selection_pwsh_set: # Provider “Enable” property modification
CommandLine|contains|all:
- 'Set-EtwTraceProvider'
- '0x11'
condition: 1 of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Techniques
Sub-techniques
CAR Analytics
2016-04-002 · CAR 2016-04-002
Rule Metadata
Rule ID
a238b5d0-ce2d-4414-a676-7a531b3d13d6
Status
test
Level
high
Type
Detection
Created
Fri Mar 22
Modified
Tue Jun 28
Path
rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml
Raw Tags
attack.defense-evasionattack.t1070attack.t1562.006car.2016-04-002