LoFP LoFP / installer tools that disable services, e.g. before log collection agent installation

Techniques

Sample rules

Suspicious Windows Trace ETW Session Tamper Via Logman.EXE

Description

Detects the execution of “logman” utility in order to disable or delete Windows trace sessions

Detection logic

condition: all of selection*
selection_action:
  CommandLine|contains:
  - 'stop '
  - 'delete '
selection_img:
- Image|endswith: \logman.exe
- OriginalFileName: Logman.exe
selection_service:
  CommandLine|contains:
  - Circular Kernel Context Logger
  - EventLog-
  - SYSMON TRACE
  - SysmonDnsEtwSession