Windows PowerShell disable ETW trace

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects attempts to disable Event Tracing for Windows (ETW) using PowerShell commands.

Strategy

This rule monitors Windows event logs for PowerShell script block execution that attempts to disable Event Tracing for Windows (ETW). It specifically looks for PowerShell commands that use Remove-EtwTraceProvider, or Set-EtwTraceProvider with the hexadecimal value 0x11, which disables trace logging. ETW is a critical logging mechanism in Windows that provides telemetry and is heavily used for security monitoring and forensics. Attackers often attempt to disable ETW to evade detection, prevent logging of their activities, and impair defense mechanisms.

Triage & Response

  • Examine the PowerShell script block content on {{host}} to verify the ETW trace disabling attempt and understand the full context of the execution.
  • Identify the user account that executed the PowerShell command and determine if this activity was authorized.
  • Review authentication logs to determine if the account used was compromised or if this was a legitimate administrative action.
  • Verify current ETW status on the system to determine if trace providers were successfully modified.
  • Implement privileged access management to restrict who can modify ETW settings.