mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 02:08:54 +00:00
39 lines
1.1 KiB
YAML
39 lines
1.1 KiB
YAML
title: Disable of ETW Trace
|
|
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
|
|
description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
|
|
status: experimental
|
|
references:
|
|
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
|
|
- https://abuse.io/lockergoga.txt
|
|
author: '@neu5ron, Florian Roth'
|
|
date: 2019/03/22
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1070
|
|
- attack.t1562.006
|
|
- car.2016-04-002
|
|
level: high
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_clear_1:
|
|
CommandLine|contains|all:
|
|
- 'cl'
|
|
- '/Trace'
|
|
selection_clear_2:
|
|
CommandLine|contains|all:
|
|
- 'clear-log'
|
|
- '/Trace'
|
|
selection_disable_1:
|
|
CommandLine|contains|all:
|
|
- 'sl'
|
|
- '/e:false'
|
|
selection_disable_2:
|
|
CommandLine|contains|all:
|
|
- 'set-log'
|
|
- '/e:false'
|
|
condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2
|
|
falsepositives:
|
|
- Unknown
|