T1562.006 IBM QRadar · QRadar

Detect Indicator Blocking in IBM QRadar

Adversaries may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This includes tampering with Event Tracing for Windows (ETW), disabling crash dumps, modifying syslog configuration, redirecting telemetry, or blocking network traffic to SIEM/logging infrastructure. ETW tampering is particularly impactful as many security tools depend on ETW providers for visibility.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.006 Indicator Blocking
Canonical reference
https://attack.mitre.org/techniques/T1562/006/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  QIDNAME(qid) AS event_name,
  "CommandLine",
  "TargetObject",
  CASE
    WHEN "CommandLine" ILIKE '%Set-EtwTraceProvider%'
      OR "CommandLine" ILIKE '%Remove-EtwTraceProvider%'
      OR "CommandLine" ILIKE '%logman stop%'
      OR "CommandLine" ILIKE '%logman delete%'
      OR "CommandLine" ILIKE '%logman update%'
      THEN 'ETW Tampering'
    WHEN "CommandLine" ILIKE '%EtwEventWrite%'
      OR "CommandLine" ILIKE '%NtTraceEvent%'
      OR "CommandLine" ILIKE '%NtTraceControl%'
      THEN 'ETW API Patching'
    WHEN "CommandLine" ILIKE '%CrashDumpEnabled%'
      OR "TargetObject" ILIKE '%CrashControl%'
      THEN 'Crash Dump Disabled'
    WHEN "CommandLine" ILIKE '%rsyslog%'
      OR "CommandLine" ILIKE '%syslog-ng%'
      OR "CommandLine" ILIKE '%syslog stop%'
      THEN 'Syslog Tampering'
    ELSE 'Other'
  END AS blocking_type
FROM events
WHERE LOGSOURCETYPEID IN (12, 253, 352)
  AND starttime > NOW() - 86400000
  AND (
    (eventid = 1 AND (
      "CommandLine" ILIKE '%Set-EtwTraceProvider%' OR
      "CommandLine" ILIKE '%Remove-EtwTraceProvider%' OR
      "CommandLine" ILIKE '%logman stop%' OR
      "CommandLine" ILIKE '%logman delete%' OR
      "CommandLine" ILIKE '%logman update%' OR
      "CommandLine" ILIKE '%EtwEventWrite%' OR
      "CommandLine" ILIKE '%NtTraceEvent%' OR
      "CommandLine" ILIKE '%NtTraceControl%' OR
      "CommandLine" ILIKE '%CrashDumpEnabled%' OR
      "CommandLine" ILIKE '%systemctl stop rsyslog%' OR
      "CommandLine" ILIKE '%systemctl stop syslog-ng%' OR
      "CommandLine" ILIKE '%service rsyslog stop%' OR
      "CommandLine" ILIKE '%service syslog stop%' OR
      "CommandLine" ILIKE '%esxcli system syslog%'
    ))
    OR (eventid IN (12, 13) AND "TargetObject" ILIKE '%CrashControl%CrashDumpEnabled%')
  )
ORDER BY starttime DESC
high severity medium confidence

Detects T1562.006 Indicator Blocking in QRadar by querying Sysmon process creation (EventID 1) and registry events (EventID 12/13) for ETW tampering commands, crash dump registry modifications, and syslog daemon shutdown commands. Uses LOGSOURCETYPEID filtering for Sysmon (12) and WinEventLog (253) log sources.

Data Sources

IBM QRadar with Sysmon DSMWinCollect for WindowsLinux syslog via QRadar

Required Tables

events

False Positives & Tuning

  • Scheduled tasks or monitoring agents that periodically reconfigure ETW trace sessions for telemetry management
  • OS patching processes that temporarily stop syslog services during package upgrades on Linux servers
  • Crash dump settings modified by enterprise imaging tools during OS deployment or system hardening baselines
Download portable Sigma rule (.yml)

Other platforms for T1562.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop ETW Trace Session with logman

    Expected signal: Sysmon Event ID 1: logman.exe with CommandLine 'stop EventLog-Application -ets'.

  2. Test 2Disable Crash Dumps via Registry

    Expected signal: Sysmon Event ID 13: Registry value set for CrashControl\CrashDumpEnabled=0. Sysmon Event ID 1: reg.exe process creation.

  3. Test 3Stop rsyslog Service on Linux

    Expected signal: Auditd execve record for systemctl stop rsyslog. Syslog may capture its own stop (depending on timing). MDE DeviceProcessEvents if deployed.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1055Process InjectionT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections