LoFP / legitimate deactivation by administrative staff

Techniques

Sample rules

Suspicious Windows Trace ETW Session Tamper Via Logman.EXE

source: sigma
technicques:
- t1070
- t1070.001
- t1562
- t1562.001

Description

Detects the execution of “logman” utility in order to disable or delete Windows trace sessions

Detection logic

condition: all of selection*
selection_action:
  CommandLine|contains:
  - 'stop '
  - 'delete '
selection_img:
- Image|endswith: \logman.exe
- OriginalFileName: Logman.exe
selection_service:
  CommandLine|contains:
  - Circular Kernel Context Logger
  - EventLog-
  - SYSMON TRACE
  - SysmonDnsEtwSession