Windows PowerShell disable ETW trace

This rule is part of a beta feature. To learn more, contact Support.
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects attempts to disable Event Tracing for Windows (ETW) using PowerShell commands.

Strategy

This rule monitors Windows event logs for PowerShell script block execution that attempts to disable Event Tracing for Windows (ETW). It specifically looks for PowerShell commands that use Remove-EtwTraceProvider, or Set-EtwTraceProvider with the hexadecimal value 0x11, which disables trace logging. ETW is a critical logging mechanism in Windows that provides telemetry and is heavily used for security monitoring and forensics. Attackers often attempt to disable ETW to evade detection, prevent logging of their activities, and impair defense mechanisms.

Triage & Response

  • Examine the PowerShell script block content on {{host}} to verify the ETW trace disabling attempt and understand the full context of the execution.
  • Identify the user account that executed the PowerShell command and determine if this activity was authorized.
  • Review authentication logs to determine if the account used was compromised or if this was a legitimate administrative action.
  • Verify current ETW status on the system to determine if trace providers were successfully modified.
  • Implement privileged access management to restrict who can modify ETW settings.