CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a00a114101ab33eda2e75c9cf2ddab57cccea821
hayabusa/rules/sigma/process_creation/win_etw_trace_evasion.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235) 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

73 lines
2.1 KiB
YAML
Raw Blame History

title: Disable of ETW Trace
author: '@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community'
date: 2019/03/22
description: Detects a command that clears or disables any ETW trace log which could
indicate a logging evasion.
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*Remove-EtwTraceProvider*'
SELECTION_11:
CommandLine: '*EventLog-Microsoft-Windows-WMI-Activity-Trace*'
SELECTION_12:
CommandLine: '*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*'
SELECTION_13:
CommandLine: '*Set-EtwTraceProvider*'
SELECTION_14:
CommandLine: '*{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}*'
SELECTION_15:
CommandLine: '*EventLog-Microsoft-Windows-WMI-Activity-Trace*'
SELECTION_16:
CommandLine: '*0x11*'
SELECTION_17:
CommandLine: '*logman*'
SELECTION_18:
CommandLine: '*update*'
SELECTION_19:
CommandLine: '*trace*'
SELECTION_2:
CommandLine: '*cl*'
SELECTION_20:
CommandLine: '*--p*'
SELECTION_21:
CommandLine: '*-ets*'
SELECTION_3:
CommandLine: '*/Trace*'
SELECTION_4:
CommandLine: '*clear-log*'
SELECTION_5:
CommandLine: '*/Trace*'
SELECTION_6:
CommandLine: '*sl*'
SELECTION_7:
CommandLine: '*/e:false*'
SELECTION_8:
CommandLine: '*set-log*'
SELECTION_9:
CommandLine: '*/e:false*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9) or (SELECTION_10
and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15
and SELECTION_16) or (SELECTION_17 and SELECTION_18 and SELECTION_19 and SELECTION_20
and SELECTION_21)))
falsepositives:
- Unknown
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
level: high
logsource:
category: process_creation
product: windows
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://abuse.io/lockergoga.txt
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
status: experimental
tags:
- attack.defense_evasion
- attack.t1070
- attack.t1562.006
- car.2016-04-002
ruletype: SIGMA
Reference in New Issue View Git Blame Copy Permalink