← Back to SOC feed Coverage →

ETW Trace Evasion Activity

sigma HIGH SigmaHQ
T1070T1685
imProcessCreate
evasion
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-21T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

Detection Rule

Sigma (Original)

title: ETW Trace Evasion Activity
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
status: test
description: |
    Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
    - https://abuse.io/lockergoga.txt
    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
date: 2019-03-22
modified: 2022-06-28
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1685
    - car.2016-04-002
logsource:
    category: process_creation
    product: windows
detection:
    selection_clear_1:
        CommandLine|contains|all:
            - 'cl'
            - '/Trace'
    selection_clear_2:
        CommandLine|contains|all:
            - 'clear-log'
            - '/Trace'
    selection_disable_1:
        CommandLine|contains|all:
            - 'sl'
            - '/e:false'
    selection_disable_2:
        CommandLine|contains|all:
            - 'set-log'
            - '/e:false'
    selection_disable_3:   # ETW provider removal from a trace session
        CommandLine|contains|all:
            - 'logman'
            - 'update'
            - 'trace'
            - '--p'
            - '-ets'
    selection_pwsh_remove:   # Autologger provider removal
        CommandLine|contains: 'Remove-EtwTraceProvider'
    selection_pwsh_set:   # Provider “Enable” property modification
        CommandLine|contains|all:
            - 'Set-EtwTraceProvider'
            - '0x11'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "cl" and TargetProcessCommandLine contains "/Trace") or (TargetProcessCommandLine contains "clear-log" and TargetProcessCommandLine contains "/Trace") or (TargetProcessCommandLine contains "sl" and TargetProcessCommandLine contains "/e:false") or (TargetProcessCommandLine contains "set-log" and TargetProcessCommandLine contains "/e:false") or (TargetProcessCommandLine contains "logman" and TargetProcessCommandLine contains "update" and TargetProcessCommandLine contains "trace" and TargetProcessCommandLine contains "--p" and TargetProcessCommandLine contains "-ets") or TargetProcessCommandLine contains "Remove-EtwTraceProvider" or (TargetProcessCommandLine contains "Set-EtwTraceProvider" and TargetProcessCommandLine contains "0x11")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml