Detect Indicator Blocking in Google Chronicle
Adversaries may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This includes tampering with Event Tracing for Windows (ETW), disabling crash dumps, modifying syslog configuration, redirecting telemetry, or blocking network traffic to SIEM/logging infrastructure. ETW tampering is particularly impactful as many security tools depend on ETW providers for visibility.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.006 Indicator Blocking
- Canonical reference
- https://attack.mitre.org/techniques/T1562/006/
YARA-L Detection Query
rule indicator_blocking_t1562_006 {
meta:
author = "Argus Detection Engineering"
description = "Detects T1562.006 Indicator Blocking via ETW tampering, crash dump disabling, or syslog service termination"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1562.006"
reference = "https://attack.mitre.org/techniques/T1562/006/"
created = "2026-04-21"
events:
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
(
re.regex($e.target.process.command_line, `(?i)(Set-EtwTraceProvider|Remove-EtwTraceProvider|logman\s+(stop|delete|update)|EtwEventWrite|NtTraceEvent|NtTraceControl)`) or
re.regex($e.target.process.command_line, `(?i)(systemctl\s+stop\s+(rsyslog|syslog-ng)|service\s+(rsyslog|syslog)\s+stop|esxcli\s+system\s+syslog)`) or
re.regex($e.target.process.command_line, `(?i)CrashDumpEnabled`)
)
)
or
(
$e.metadata.event_type = "REGISTRY_MODIFICATION" and
re.regex($e.target.registry.registry_key, `(?i)CrashControl`) and
re.regex($e.target.registry.registry_value_name, `(?i)(CrashDumpEnabled|NMICrashDump)`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1562.006 Indicator Blocking. Matches PROCESS_LAUNCH events with ETW provider manipulation commands (Set/Remove-EtwTraceProvider, logman, ETW API functions), syslog service termination, crash dump disabling via command line, and REGISTRY_MODIFICATION events targeting the CrashControl key for crash dump settings.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate logman.exe usage by Windows Performance Monitor or SCOM agents collecting ETW-based performance counters
- Incident response tooling (e.g., KAPE, Velociraptor) that may interact with ETW providers during forensic data collection
- Hardening scripts that set CrashDumpEnabled=0 on production servers to reduce disk I/O impact during memory pressure events
Other platforms for T1562.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop ETW Trace Session with logman
Expected signal: Sysmon Event ID 1: logman.exe with CommandLine 'stop EventLog-Application -ets'.
- Test 2Disable Crash Dumps via Registry
Expected signal: Sysmon Event ID 13: Registry value set for CrashControl\CrashDumpEnabled=0. Sysmon Event ID 1: reg.exe process creation.
- Test 3Stop rsyslog Service on Linux
Expected signal: Auditd execve record for systemctl stop rsyslog. Syslog may capture its own stop (depending on timing). MDE DeviceProcessEvents if deployed.
References (5)
- https://attack.mitre.org/techniques/T1562/006/
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md
- https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-authentication-a-]
Unlock Pro Content
Get the full detection package for T1562.006 including response playbook, investigation guide, and atomic red team tests.