diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml
new file mode 100644
index 000000000..d25ed3b7e
--- /dev/null
+++ b/rules/windows/process_creation/win_etw_trace_evasion.yml
@@ -0,0 +1,25 @@
+title: Disable of ETW Trace
+description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
+references:
+    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
+    - https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml
+    - https://abuse.io/lockergoga.txt
+author: @neu5ron, Florian Roth
+date: 2019/03/22
+tags:
+    - attack.execution
+    - attack.T1070    
+level: high
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_clear_1:
+        CommandLine: '* cl */Trace*'
+    selection_clear_2:
+        CommandLine: '* clear-log */Trace*'
+    selection_disable_1:
+        CommandLine: '* sl* /e:false*'
+    selection_disable_2:
+        CommandLine: '* set-log* /e:false*'
+    condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2