Windows PowerShell disable ETW trace
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects attempts to disable Event Tracing for Windows (ETW) using PowerShell commands.
Strategy
This rule monitors Windows event logs for PowerShell script block execution that attempts to disable Event Tracing for Windows (ETW). It specifically looks for PowerShell commands that use Remove-EtwTraceProvider, or Set-EtwTraceProvider with the hexadecimal value 0x11, which disables trace logging. ETW is a critical logging mechanism in Windows that provides telemetry and is heavily used for security monitoring and forensics. Attackers often attempt to disable ETW to evade detection, prevent logging of their activities, and impair defense mechanisms.
Triage & Response
- Examine the PowerShell script block content on
{{host}} to verify the ETW trace disabling attempt and understand the full context of the execution. - Identify the user account that executed the PowerShell command and determine if this activity was authorized.
- Review authentication logs to determine if the account used was compromised or if this was a legitimate administrative action.
- Verify current ETW status on the system to determine if trace providers were successfully modified.
- Implement privileged access management to restrict who can modify ETW settings.
