2019-03-22 11:36:55 -04:00
|
|
|
title: Disable of ETW Trace
|
2019-11-12 23:12:27 +01:00
|
|
|
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
|
2019-03-22 11:36:55 -04:00
|
|
|
description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
|
2020-03-24 19:53:41 +01:00
|
|
|
status: experimental
|
2019-03-22 11:36:55 -04:00
|
|
|
references:
|
|
|
|
|
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
|
|
|
|
|
- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml
|
|
|
|
|
- https://abuse.io/lockergoga.txt
|
2019-05-10 00:02:20 +02:00
|
|
|
author: '@neu5ron, Florian Roth'
|
2019-03-22 11:36:55 -04:00
|
|
|
date: 2019/03/22
|
|
|
|
|
tags:
|
2020-08-29 04:39:30 +00:00
|
|
|
- attack.defense_evasion
|
2020-06-16 14:46:08 -06:00
|
|
|
- attack.t1070
|
2020-09-13 15:46:45 +02:00
|
|
|
- attack.t1562.006
|
2020-06-16 14:46:08 -06:00
|
|
|
- car.2016-04-002
|
2019-03-22 11:36:55 -04:00
|
|
|
level: high
|
|
|
|
|
logsource:
|
|
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
|
|
|
|
detection:
|
|
|
|
|
selection_clear_1:
|
|
|
|
|
CommandLine: '* cl */Trace*'
|
|
|
|
|
selection_clear_2:
|
|
|
|
|
CommandLine: '* clear-log */Trace*'
|
|
|
|
|
selection_disable_1:
|
|
|
|
|
CommandLine: '* sl* /e:false*'
|
|
|
|
|
selection_disable_2:
|
|
|
|
|
CommandLine: '* set-log* /e:false*'
|
|
|
|
|
condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2
|
2020-03-24 19:53:41 +01:00
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
