Detect Indicator Blocking in Elastic Security
Adversaries may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This includes tampering with Event Tracing for Windows (ETW), disabling crash dumps, modifying syslog configuration, redirecting telemetry, or blocking network traffic to SIEM/logging infrastructure. ETW tampering is particularly impactful as many security tools depend on ETW providers for visibility.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.006 Indicator Blocking
- Canonical reference
- https://attack.mitre.org/techniques/T1562/006/
Elastic Detection Query
sequence by host.name with maxspan=5m
[process where event.type == "start" and (
process.command_line like~ "*Set-EtwTraceProvider*" or
process.command_line like~ "*logman stop*" or
process.command_line like~ "*logman delete*" or
process.command_line like~ "*logman update*" or
process.command_line like~ "*Remove-EtwTraceProvider*" or
process.command_line like~ "*EtwEventWrite*" or
process.command_line like~ "*NtTraceEvent*" or
process.command_line like~ "*NtTraceControl*" or
process.command_line like~ "*systemctl stop rsyslog*" or
process.command_line like~ "*systemctl stop syslog-ng*" or
process.command_line like~ "*service rsyslog stop*" or
process.command_line like~ "*service syslog stop*" or
process.command_line like~ "*esxcli system syslog*"
)]
| where not (process.parent.name in ("msiexec.exe", "sccmexec.exe") and process.name == "logman.exe")
any where event.category == "registry" and event.type in ("creation", "change") and
registry.path like~ "*CrashControl*" and
(registry.value like~ "*CrashDumpEnabled*" or registry.value like~ "*NMICrashDump*")Detects T1562.006 Indicator Blocking via ETW provider tampering (logman, Set-EtwTraceProvider, Remove-EtwTraceProvider, ETW API patching), crash dump disabling via CrashControl registry keys, and syslog daemon termination on Linux/ESXi systems. Covers both Windows process command-line patterns and registry modification events.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT administrators using logman.exe to manage ETW sessions for performance diagnostics or troubleshooting
- SCCM or Ansible automation scripts that stop and restart syslog services during configuration management runs
- Security vendors (EDR, DLP) that programmatically manage ETW providers as part of their own telemetry pipeline
Other platforms for T1562.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop ETW Trace Session with logman
Expected signal: Sysmon Event ID 1: logman.exe with CommandLine 'stop EventLog-Application -ets'.
- Test 2Disable Crash Dumps via Registry
Expected signal: Sysmon Event ID 13: Registry value set for CrashControl\CrashDumpEnabled=0. Sysmon Event ID 1: reg.exe process creation.
- Test 3Stop rsyslog Service on Linux
Expected signal: Auditd execve record for systemctl stop rsyslog. Syslog may capture its own stop (depending on timing). MDE DeviceProcessEvents if deployed.
References (5)
- https://attack.mitre.org/techniques/T1562/006/
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md
- https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-authentication-a-]
Unlock Pro Content
Get the full detection package for T1562.006 including response playbook, investigation guide, and atomic red team tests.