T1562.006 Microsoft Sentinel · KQL

Detect Indicator Blocking in Microsoft Sentinel

Adversaries may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This includes tampering with Event Tracing for Windows (ETW), disabling crash dumps, modifying syslog configuration, redirecting telemetry, or blocking network traffic to SIEM/logging infrastructure. ETW tampering is particularly impactful as many security tools depend on ETW providers for visibility.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.006 Indicator Blocking
Canonical reference
https://attack.mitre.org/techniques/T1562/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let ETWTampering = dynamic(["Set-EtwTraceProvider", "logman stop", "logman delete", "logman update", "Remove-EtwTraceProvider", "EtwEventWrite", "NtTraceEvent", "NtTraceControl"]);
let CrashDumpTampering = dynamic(["CrashDumpEnabled", "NMICrashDump"]);
let SyslogTampering = dynamic(["systemctl stop rsyslog", "systemctl stop syslog-ng", "service rsyslog stop", "service syslog stop", "esxcli system syslog"]);
let IndicatorBlocking = dynamic(["Set-EtwTraceProvider", "logman stop", "logman delete", "CrashDumpEnabled", "systemctl stop rsyslog", "systemctl stop syslog-ng", "service rsyslog stop"]);
union DeviceProcessEvents, DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (IndicatorBlocking)
   or ProcessCommandLine has_any (ETWTampering)
   or ProcessCommandLine has_any (SyslogTampering)
   or (ActionType == "RegistryValueSet" and RegistryKey has "CrashControl" and RegistryValueName has_any (CrashDumpTampering))
| extend BlockingType = case(
    ProcessCommandLine has_any ("Set-EtwTraceProvider", "logman stop", "logman delete", "logman update", "Remove-EtwTraceProvider"), "ETW Tampering",
    ProcessCommandLine has_any ("EtwEventWrite", "NtTraceEvent", "NtTraceControl"), "ETW API Patching",
    RegistryValueName has "CrashDumpEnabled" or ProcessCommandLine has "CrashDumpEnabled", "Crash Dump Disabled",
    ProcessCommandLine has_any ("rsyslog", "syslog-ng", "syslog"), "Syslog Tampering",
    "Other")
| project Timestamp, DeviceName, AccountName, BlockingType, ProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
high severity high confidence

Detects indicator blocking through ETW provider manipulation (Set-EtwTraceProvider, logman), crash dump disablement (CrashDumpEnabled registry key), and syslog service stopping. APT41 and HUI Loader are known to use ETW bypass techniques, while HermeticWiper disables crash dumps.

Data Sources

Process: Process CreationCommand: Command ExecutionWindows Registry: Windows Registry Key ModificationSensor Health: Host Status

Required Tables

DeviceProcessEventsDeviceRegistryEvents

False Positives & Tuning

  • Performance engineers using logman to manage ETW trace sessions for diagnostics
  • System administrators configuring crash dump settings for disk space management on servers
  • Security teams intentionally modifying ETW providers during tuning or testing
Download portable Sigma rule (.yml)

Other platforms for T1562.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop ETW Trace Session with logman

    Expected signal: Sysmon Event ID 1: logman.exe with CommandLine 'stop EventLog-Application -ets'.

  2. Test 2Disable Crash Dumps via Registry

    Expected signal: Sysmon Event ID 13: Registry value set for CrashControl\CrashDumpEnabled=0. Sysmon Event ID 1: reg.exe process creation.

  3. Test 3Stop rsyslog Service on Linux

    Expected signal: Auditd execve record for systemctl stop rsyslog. Syslog may capture its own stop (depending on timing). MDE DeviceProcessEvents if deployed.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1055Process InjectionT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections