Detect Indicator Blocking in Splunk
Adversaries may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This includes tampering with Event Tracing for Windows (ETW), disabling crash dumps, modifying syslog configuration, redirecting telemetry, or blocking network traffic to SIEM/logging infrastructure. ETW tampering is particularly impactful as many security tools depend on ETW providers for visibility.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.006 Indicator Blocking
- Canonical reference
- https://attack.mitre.org/techniques/T1562/006/
SPL Detection Query
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(CommandLine="*Set-EtwTraceProvider*" OR CommandLine="*logman stop*" OR CommandLine="*logman delete*" OR CommandLine="*logman update*" OR CommandLine="*Remove-EtwTraceProvider*"))
OR
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=12 OR EventCode=13)
TargetObject="*CrashControl*CrashDumpEnabled*")
OR
(index=linux sourcetype=syslog ("systemctl stop rsyslog" OR "systemctl stop syslog-ng" OR "service rsyslog stop" OR "service syslog stop" OR "esxcli system syslog"))
| eval BlockingType=case(
match(_raw, "(?i)(Set-EtwTraceProvider|logman\s+(stop|delete|update)|Remove-EtwTraceProvider)"), "ETW Tampering",
match(_raw, "(?i)CrashDumpEnabled"), "Crash Dump Disabled",
match(_raw, "(?i)(rsyslog|syslog-ng|syslog)"), "Syslog Tampering",
true(), "Other")
| table _time, host, User, EventCode, BlockingType, CommandLine, TargetObject, Details
| sort - _timeDetects indicator blocking across Windows (ETW tampering, crash dump registry changes) and Linux (syslog service stops). ETW tampering is a critical indicator as it can blind EDR, AMSI, and other security monitoring that relies on ETW providers.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Performance engineers using logman to manage ETW trace sessions for diagnostics
- System administrators configuring crash dump settings for disk space management on servers
- Security teams intentionally modifying ETW providers during tuning or testing
Other platforms for T1562.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop ETW Trace Session with logman
Expected signal: Sysmon Event ID 1: logman.exe with CommandLine 'stop EventLog-Application -ets'.
- Test 2Disable Crash Dumps via Registry
Expected signal: Sysmon Event ID 13: Registry value set for CrashControl\CrashDumpEnabled=0. Sysmon Event ID 1: reg.exe process creation.
- Test 3Stop rsyslog Service on Linux
Expected signal: Auditd execve record for systemctl stop rsyslog. Syslog may capture its own stop (depending on timing). MDE DeviceProcessEvents if deployed.
References (5)
- https://attack.mitre.org/techniques/T1562/006/
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md
- https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-authentication-a-]
Unlock Pro Content
Get the full detection package for T1562.006 including response playbook, investigation guide, and atomic red team tests.