T1562.006 Indicator Blocking Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ETWTampering = dynamic(["Set-EtwTraceProvider", "logman stop", "logman delete", "logman update", "Remove-EtwTraceProvider", "EtwEventWrite", "NtTraceEvent", "NtTraceControl"]);
let CrashDumpTampering = dynamic(["CrashDumpEnabled", "NMICrashDump"]);
let SyslogTampering = dynamic(["systemctl stop rsyslog", "systemctl stop syslog-ng", "service rsyslog stop", "service syslog stop", "esxcli system syslog"]);
let IndicatorBlocking = dynamic(["Set-EtwTraceProvider", "logman stop", "logman delete", "CrashDumpEnabled", "systemctl stop rsyslog", "systemctl stop syslog-ng", "service rsyslog stop"]);
union DeviceProcessEvents, DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (IndicatorBlocking)
   or ProcessCommandLine has_any (ETWTampering)
   or ProcessCommandLine has_any (SyslogTampering)
   or (ActionType == "RegistryValueSet" and RegistryKey has "CrashControl" and RegistryValueName has_any (CrashDumpTampering))
| extend BlockingType = case(
    ProcessCommandLine has_any ("Set-EtwTraceProvider", "logman stop", "logman delete", "logman update", "Remove-EtwTraceProvider"), "ETW Tampering",
    ProcessCommandLine has_any ("EtwEventWrite", "NtTraceEvent", "NtTraceControl"), "ETW API Patching",
    RegistryValueName has "CrashDumpEnabled" or ProcessCommandLine has "CrashDumpEnabled", "Crash Dump Disabled",
    ProcessCommandLine has_any ("rsyslog", "syslog-ng", "syslog"), "Syslog Tampering",
    "Other")
| project Timestamp, DeviceName, AccountName, BlockingType, ProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Modification Sensor Health: Host Status

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Performance engineers using logman to manage ETW trace sessions for diagnostics
System administrators configuring crash dump settings for disk space management on servers
Security teams intentionally modifying ETW providers during tuning or testing

Splunk

spl

(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*Set-EtwTraceProvider*" OR CommandLine="*logman stop*" OR CommandLine="*logman delete*" OR CommandLine="*logman update*" OR CommandLine="*Remove-EtwTraceProvider*"))
OR
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13)
  TargetObject="*CrashControl*CrashDumpEnabled*")
OR
(index=linux sourcetype=syslog ("systemctl stop rsyslog" OR "systemctl stop syslog-ng" OR "service rsyslog stop" OR "service syslog stop" OR "esxcli system syslog"))
| eval BlockingType=case(
    match(_raw, "(?i)(Set-EtwTraceProvider|logman\s+(stop|delete|update)|Remove-EtwTraceProvider)"), "ETW Tampering",
    match(_raw, "(?i)CrashDumpEnabled"), "Crash Dump Disabled",
    match(_raw, "(?i)(rsyslog|syslog-ng|syslog)"), "Syslog Tampering",
    true(), "Other")
| table _time, host, User, EventCode, BlockingType, CommandLine, TargetObject, Details
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Windows Registry: Windows Registry Key Modification Linux Syslog Sysmon Event ID 1, 12, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational syslog

False Positives

Performance engineers using logman to manage ETW trace sessions for diagnostics
System administrators configuring crash dump settings for disk space management on servers
Security teams intentionally modifying ETW providers during tuning or testing

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and (
    process.command_line like~ "*Set-EtwTraceProvider*" or
    process.command_line like~ "*logman stop*" or
    process.command_line like~ "*logman delete*" or
    process.command_line like~ "*logman update*" or
    process.command_line like~ "*Remove-EtwTraceProvider*" or
    process.command_line like~ "*EtwEventWrite*" or
    process.command_line like~ "*NtTraceEvent*" or
    process.command_line like~ "*NtTraceControl*" or
    process.command_line like~ "*systemctl stop rsyslog*" or
    process.command_line like~ "*systemctl stop syslog-ng*" or
    process.command_line like~ "*service rsyslog stop*" or
    process.command_line like~ "*service syslog stop*" or
    process.command_line like~ "*esxcli system syslog*"
  )]
| where not (process.parent.name in ("msiexec.exe", "sccmexec.exe") and process.name == "logman.exe")

any where event.category == "registry" and event.type in ("creation", "change") and
  registry.path like~ "*CrashControl*" and
  (registry.value like~ "*CrashDumpEnabled*" or registry.value like~ "*NMICrashDump*")

high severity high confidence

Data Sources

Elastic Endpoint Winlogbeat with Sysmon Auditbeat (Linux)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate IT administrators using logman.exe to manage ETW sessions for performance diagnostics or troubleshooting
SCCM or Ansible automation scripts that stop and restart syslog services during configuration management runs
Security vendors (EDR, DLP) that programmatically manage ETW providers as part of their own telemetry pipeline

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  QIDNAME(qid) AS event_name,
  "CommandLine",
  "TargetObject",
  CASE
    WHEN "CommandLine" ILIKE '%Set-EtwTraceProvider%'
      OR "CommandLine" ILIKE '%Remove-EtwTraceProvider%'
      OR "CommandLine" ILIKE '%logman stop%'
      OR "CommandLine" ILIKE '%logman delete%'
      OR "CommandLine" ILIKE '%logman update%'
      THEN 'ETW Tampering'
    WHEN "CommandLine" ILIKE '%EtwEventWrite%'
      OR "CommandLine" ILIKE '%NtTraceEvent%'
      OR "CommandLine" ILIKE '%NtTraceControl%'
      THEN 'ETW API Patching'
    WHEN "CommandLine" ILIKE '%CrashDumpEnabled%'
      OR "TargetObject" ILIKE '%CrashControl%'
      THEN 'Crash Dump Disabled'
    WHEN "CommandLine" ILIKE '%rsyslog%'
      OR "CommandLine" ILIKE '%syslog-ng%'
      OR "CommandLine" ILIKE '%syslog stop%'
      THEN 'Syslog Tampering'
    ELSE 'Other'
  END AS blocking_type
FROM events
WHERE LOGSOURCETYPEID IN (12, 253, 352)
  AND starttime > NOW() - 86400000
  AND (
    (eventid = 1 AND (
      "CommandLine" ILIKE '%Set-EtwTraceProvider%' OR
      "CommandLine" ILIKE '%Remove-EtwTraceProvider%' OR
      "CommandLine" ILIKE '%logman stop%' OR
      "CommandLine" ILIKE '%logman delete%' OR
      "CommandLine" ILIKE '%logman update%' OR
      "CommandLine" ILIKE '%EtwEventWrite%' OR
      "CommandLine" ILIKE '%NtTraceEvent%' OR
      "CommandLine" ILIKE '%NtTraceControl%' OR
      "CommandLine" ILIKE '%CrashDumpEnabled%' OR
      "CommandLine" ILIKE '%systemctl stop rsyslog%' OR
      "CommandLine" ILIKE '%systemctl stop syslog-ng%' OR
      "CommandLine" ILIKE '%service rsyslog stop%' OR
      "CommandLine" ILIKE '%service syslog stop%' OR
      "CommandLine" ILIKE '%esxcli system syslog%'
    ))
    OR (eventid IN (12, 13) AND "TargetObject" ILIKE '%CrashControl%CrashDumpEnabled%')
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar with Sysmon DSM WinCollect for Windows Linux syslog via QRadar

Required Tables

events

False Positives

Scheduled tasks or monitoring agents that periodically reconfigure ETW trace sessions for telemetry management
OS patching processes that temporarily stop syslog services during package upgrades on Linux servers
Crash dump settings modified by enterprise imaging tools during OS deployment or system hardening baselines

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="linux/syslog" OR _sourceCategory="windows/security")
| where (%"EventCode" IN ("1", "12", "13") OR _sourceCategory matches "*linux*")
| parse field=CommandLine "*" as cmd_full nodrop
| where (
    CommandLine matches "*Set-EtwTraceProvider*" OR
    CommandLine matches "*Remove-EtwTraceProvider*" OR
    CommandLine matches "*logman stop*" OR
    CommandLine matches "*logman delete*" OR
    CommandLine matches "*logman update*" OR
    CommandLine matches "*EtwEventWrite*" OR
    CommandLine matches "*NtTraceEvent*" OR
    CommandLine matches "*NtTraceControl*" OR
    CommandLine matches "*CrashDumpEnabled*" OR
    CommandLine matches "*systemctl stop rsyslog*" OR
    CommandLine matches "*systemctl stop syslog-ng*" OR
    CommandLine matches "*service rsyslog stop*" OR
    CommandLine matches "*service syslog stop*" OR
    CommandLine matches "*esxcli system syslog*"
  )
  OR (
    TargetObject matches "*CrashControl*CrashDumpEnabled*"
  )
| eval blocking_type = if(CommandLine matches "*Set-EtwTraceProvider*" OR CommandLine matches "*Remove-EtwTraceProvider*" OR CommandLine matches "*logman stop*" OR CommandLine matches "*logman delete*", "ETW Tampering",
    if(CommandLine matches "*EtwEventWrite*" OR CommandLine matches "*NtTraceEvent*" OR CommandLine matches "*NtTraceControl*", "ETW API Patching",
    if(CommandLine matches "*CrashDumpEnabled*" OR TargetObject matches "*CrashControl*", "Crash Dump Disabled",
    if(CommandLine matches "*rsyslog*" OR CommandLine matches "*syslog-ng*" OR CommandLine matches "*syslog stop*", "Syslog Tampering",
    "Other"))))
| count by _sourceHost, User, blocking_type, CommandLine, TargetObject, _time
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows Sysmon) Sumo Logic Installed Collector (Linux syslog) Sumo Logic Cloud SIEM (CSE)

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=linux/syslog

False Positives

Windows Defender or third-party AV products that adjust ETW providers during live response or threat remediation actions
DevOps pipelines running logman.exe as part of automated performance trace collection in CI/CD environments
Linux configuration management (Chef, Puppet, Ansible) that stops and restarts syslog services during convergence runs

Google Chronicle / SecOps

yaral

rule indicator_blocking_t1562_006 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1562.006 Indicator Blocking via ETW tampering, crash dump disabling, or syslog service termination"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.006"
    reference = "https://attack.mitre.org/techniques/T1562/006/"
    created = "2026-04-21"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.target.process.command_line, `(?i)(Set-EtwTraceProvider|Remove-EtwTraceProvider|logman\s+(stop|delete|update)|EtwEventWrite|NtTraceEvent|NtTraceControl)`) or
        re.regex($e.target.process.command_line, `(?i)(systemctl\s+stop\s+(rsyslog|syslog-ng)|service\s+(rsyslog|syslog)\s+stop|esxcli\s+system\s+syslog)`) or
        re.regex($e.target.process.command_line, `(?i)CrashDumpEnabled`)
      )
    )
    or
    (
      $e.metadata.event_type = "REGISTRY_MODIFICATION" and
      re.regex($e.target.registry.registry_key, `(?i)CrashControl`) and
      re.regex($e.target.registry.registry_value_name, `(?i)(CrashDumpEnabled|NMICrashDump)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle (UDM) Chronicle Forwarder (Windows Sysmon) Chronicle Forwarder (Linux auditd/syslog)

Required Tables

UDM Events (PROCESS_LAUNCH, REGISTRY_MODIFICATION)

False Positives

Legitimate logman.exe usage by Windows Performance Monitor or SCOM agents collecting ETW-based performance counters
Incident response tooling (e.g., KAPE, Velociraptor) that may interact with ETW providers during forensic data collection
Hardening scripts that set CrashDumpEnabled=0 on production servers to reduce disk I/O impact during memory pressure events

CrowdStrike LogScale (CQL)

cql

#repo=base_sensor
#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(Set-EtwTraceProvider|Remove-EtwTraceProvider|logman\s+(stop|delete|update)|EtwEventWrite|NtTraceEvent|NtTraceControl|CrashDumpEnabled|systemctl\s+stop\s+(rsyslog|syslog-ng)|service\s+(rsyslog|syslog)\s+stop|esxcli\s+system\s+syslog)/
| blocking_type := case {
    CommandLine = /(?i)(Set-EtwTraceProvider|Remove-EtwTraceProvider|logman\s+(stop|delete|update))/ => "ETW Tampering";
    CommandLine = /(?i)(EtwEventWrite|NtTraceEvent|NtTraceControl)/ => "ETW API Patching";
    CommandLine = /(?i)CrashDumpEnabled/ => "Crash Dump Disabled";
    CommandLine = /(?i)(rsyslog|syslog-ng|syslog\s+stop)/ => "Syslog Tampering";
    * => "Other"
  }
| table([timestamp, ComputerName, UserName, blocking_type, CommandLine, ParentBaseFileName, FileName])
| sort(timestamp, order=desc)

// Registry-based crash dump detection (separate query — union manually in dashboard)
// #event_simpleName=RegSetValue
// | ObjectName = /(?i)CrashControl/
// | ValueName = /(?i)(CrashDumpEnabled|NMICrashDump)/
// | table([timestamp, ComputerName, UserName, ObjectName, ValueName, RegStringValue])

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) CrowdStrike Falcon EDR (RegSetValue) CrowdStrike Falcon LogScale

Required Tables

base_sensor (ProcessRollup2, RegSetValue)

False Positives

Falcon sensor itself or CrowdStrike RTR scripts that interact with ETW providers during sensor health checks or live response sessions
Enterprise software deployment tools (SCCM, Intune) running logman.exe as part of application installation that includes ETW-based diagnostics
SRE runbooks that disable crash dumps on high-memory database servers to prevent kernel panic from consuming disk space in production

Indicator Blocking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections