Detectionhightest
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Thu Feb 11Updated Tue Feb 21cd1f961e-0b96-436b-b7c6-38da4583ec00windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_img:
- Image|endswith: '\logman.exe'
- OriginalFileName: 'Logman.exe'
selection_action:
CommandLine|contains:
- 'stop '
- 'delete '
selection_service:
CommandLine|contains:
- 'Circular Kernel Context Logger'
- 'EventLog-' # Cover multiple traces starting with EventLog-*
- 'SYSMON TRACE'
- 'SysmonDnsEtwSession'
condition: all of selection*False Positives
Legitimate deactivation by administrative staff
Installer tools that disable services, e.g. before log collection agent installation
MITRE ATT&CK
Rule Metadata
Rule ID
cd1f961e-0b96-436b-b7c6-38da4583ec00
Status
test
Level
high
Type
Detection
Created
Thu Feb 11
Modified
Tue Feb 21
Path
rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml
Raw Tags
attack.defense-evasionattack.t1562.001attack.t1070.001