- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
",t};e.buildCustomizationMenuUi=t;function n(e){let t='
",t}function s(e){let n=e.filter.currentValue||e.filter.defaultValue,t='${e.filter.label}
`,e.filter.options.forEach(s=>{let o=s.id===n;t+=``}),t+="${e.filter.label}
`,t+=`Detects attempts to disable Event Tracing for Windows (ETW) using PowerShell commands.
This rule monitors Windows event logs for PowerShell script block execution that attempts to disable Event Tracing for Windows (ETW). It specifically looks for PowerShell commands that use Remove-EtwTraceProvider
, or Set-EtwTraceProvider
with the hexadecimal value 0x11
, which disables trace logging. ETW is a critical logging mechanism in Windows that provides telemetry and is heavily used for security monitoring and forensics. Attackers often attempt to disable ETW to evade detection, prevent logging of their activities, and impair defense mechanisms.
{{host}}
to verify the ETW trace disabling attempt and understand the full context of the execution.