Techniques
Sample rules
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
- source: sigma
- technicques:
- t1685
- t1685.005
Description
Detects the execution of “logman” utility in order to disable or delete Windows trace sessions
Detection logic
condition: all of selection*
selection_action:
CommandLine|contains:
- 'stop '
- 'delete '
selection_img:
- Image|endswith: \logman.exe
- OriginalFileName: Logman.exe
selection_service:
CommandLine|contains:
- Circular Kernel Context Logger
- EventLog-
- SYSMON TRACE
- SysmonDnsEtwSession