Detect Indicator Blocking in CrowdStrike LogScale
Adversaries may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This includes tampering with Event Tracing for Windows (ETW), disabling crash dumps, modifying syslog configuration, redirecting telemetry, or blocking network traffic to SIEM/logging infrastructure. ETW tampering is particularly impactful as many security tools depend on ETW providers for visibility.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.006 Indicator Blocking
- Canonical reference
- https://attack.mitre.org/techniques/T1562/006/
LogScale Detection Query
#repo=base_sensor
#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(Set-EtwTraceProvider|Remove-EtwTraceProvider|logman\s+(stop|delete|update)|EtwEventWrite|NtTraceEvent|NtTraceControl|CrashDumpEnabled|systemctl\s+stop\s+(rsyslog|syslog-ng)|service\s+(rsyslog|syslog)\s+stop|esxcli\s+system\s+syslog)/
| blocking_type := case {
CommandLine = /(?i)(Set-EtwTraceProvider|Remove-EtwTraceProvider|logman\s+(stop|delete|update))/ => "ETW Tampering";
CommandLine = /(?i)(EtwEventWrite|NtTraceEvent|NtTraceControl)/ => "ETW API Patching";
CommandLine = /(?i)CrashDumpEnabled/ => "Crash Dump Disabled";
CommandLine = /(?i)(rsyslog|syslog-ng|syslog\s+stop)/ => "Syslog Tampering";
* => "Other"
}
| table([timestamp, ComputerName, UserName, blocking_type, CommandLine, ParentBaseFileName, FileName])
| sort(timestamp, order=desc)
// Registry-based crash dump detection (separate query — union manually in dashboard)
// #event_simpleName=RegSetValue
// | ObjectName = /(?i)CrashControl/
// | ValueName = /(?i)(CrashDumpEnabled|NMICrashDump)/
// | table([timestamp, ComputerName, UserName, ObjectName, ValueName, RegStringValue])Detects T1562.006 Indicator Blocking in CrowdStrike Falcon/LogScale by matching ProcessRollup2 events where CommandLine contains ETW provider manipulation strings, ETW API patching patterns, crash dump disabling commands, or syslog service termination. Includes a secondary RegSetValue query (commented) for registry-based crash dump detection targeting CrashControl keys.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor itself or CrowdStrike RTR scripts that interact with ETW providers during sensor health checks or live response sessions
- Enterprise software deployment tools (SCCM, Intune) running logman.exe as part of application installation that includes ETW-based diagnostics
- SRE runbooks that disable crash dumps on high-memory database servers to prevent kernel panic from consuming disk space in production
Other platforms for T1562.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop ETW Trace Session with logman
Expected signal: Sysmon Event ID 1: logman.exe with CommandLine 'stop EventLog-Application -ets'.
- Test 2Disable Crash Dumps via Registry
Expected signal: Sysmon Event ID 13: Registry value set for CrashControl\CrashDumpEnabled=0. Sysmon Event ID 1: reg.exe process creation.
- Test 3Stop rsyslog Service on Linux
Expected signal: Auditd execve record for systemctl stop rsyslog. Syslog may capture its own stop (depending on timing). MDE DeviceProcessEvents if deployed.
References (5)
- https://attack.mitre.org/techniques/T1562/006/
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md
- https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-authentication-a-]
Unlock Pro Content
Get the full detection package for T1562.006 including response playbook, investigation guide, and atomic red team tests.