title: Disable of ETW Trace author: '@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community' date: 2019/03/22 description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. detection: SELECTION_1: EventID: 1 SELECTION_10: CommandLine: '*Remove-EtwTraceProvider*' SELECTION_11: CommandLine: '*EventLog-Microsoft-Windows-WMI-Activity-Trace*' SELECTION_12: CommandLine: '*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*' SELECTION_13: CommandLine: '*Set-EtwTraceProvider*' SELECTION_14: CommandLine: '*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*' SELECTION_15: CommandLine: '*EventLog-Microsoft-Windows-WMI-Activity-Trace*' SELECTION_16: CommandLine: '*0x11*' SELECTION_17: CommandLine: '*logman*' SELECTION_18: CommandLine: '*update*' SELECTION_19: CommandLine: '*trace*' SELECTION_2: CommandLine: '*cl*' SELECTION_20: CommandLine: '*--p*' SELECTION_21: CommandLine: '*-ets*' SELECTION_3: CommandLine: '*/Trace*' SELECTION_4: CommandLine: '*clear-log*' SELECTION_5: CommandLine: '*/Trace*' SELECTION_6: CommandLine: '*sl*' SELECTION_7: CommandLine: '*/e:false*' SELECTION_8: CommandLine: '*set-log*' SELECTION_9: CommandLine: '*/e:false*' condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5) or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9) or (SELECTION_10 and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15 and SELECTION_16) or (SELECTION_17 and SELECTION_18 and SELECTION_19 and SELECTION_20 and SELECTION_21))) falsepositives: - Unknown id: a238b5d0-ce2d-4414-a676-7a531b3d13d6 level: high logsource: category: process_creation product: windows references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil - https://abuse.io/lockergoga.txt - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 status: experimental tags: - attack.defense_evasion - attack.t1070 - attack.t1562.006 - car.2016-04-002 ruletype: SIGMA