T1562.006 Sumo Logic CSE · Sumo

Detect Indicator Blocking in Sumo Logic CSE

Adversaries may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This includes tampering with Event Tracing for Windows (ETW), disabling crash dumps, modifying syslog configuration, redirecting telemetry, or blocking network traffic to SIEM/logging infrastructure. ETW tampering is particularly impactful as many security tools depend on ETW providers for visibility.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.006 Indicator Blocking
Canonical reference
https://attack.mitre.org/techniques/T1562/006/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="windows/sysmon" OR _sourceCategory="linux/syslog" OR _sourceCategory="windows/security")
| where (%"EventCode" IN ("1", "12", "13") OR _sourceCategory matches "*linux*")
| parse field=CommandLine "*" as cmd_full nodrop
| where (
    CommandLine matches "*Set-EtwTraceProvider*" OR
    CommandLine matches "*Remove-EtwTraceProvider*" OR
    CommandLine matches "*logman stop*" OR
    CommandLine matches "*logman delete*" OR
    CommandLine matches "*logman update*" OR
    CommandLine matches "*EtwEventWrite*" OR
    CommandLine matches "*NtTraceEvent*" OR
    CommandLine matches "*NtTraceControl*" OR
    CommandLine matches "*CrashDumpEnabled*" OR
    CommandLine matches "*systemctl stop rsyslog*" OR
    CommandLine matches "*systemctl stop syslog-ng*" OR
    CommandLine matches "*service rsyslog stop*" OR
    CommandLine matches "*service syslog stop*" OR
    CommandLine matches "*esxcli system syslog*"
  )
  OR (
    TargetObject matches "*CrashControl*CrashDumpEnabled*"
  )
| eval blocking_type = if(CommandLine matches "*Set-EtwTraceProvider*" OR CommandLine matches "*Remove-EtwTraceProvider*" OR CommandLine matches "*logman stop*" OR CommandLine matches "*logman delete*", "ETW Tampering",
    if(CommandLine matches "*EtwEventWrite*" OR CommandLine matches "*NtTraceEvent*" OR CommandLine matches "*NtTraceControl*", "ETW API Patching",
    if(CommandLine matches "*CrashDumpEnabled*" OR TargetObject matches "*CrashControl*", "Crash Dump Disabled",
    if(CommandLine matches "*rsyslog*" OR CommandLine matches "*syslog-ng*" OR CommandLine matches "*syslog stop*", "Syslog Tampering",
    "Other"))))
| count by _sourceHost, User, blocking_type, CommandLine, TargetObject, _time
| sort by _time desc
high severity high confidence

Detects T1562.006 Indicator Blocking in Sumo Logic by searching Windows Sysmon process creation and registry events alongside Linux syslog data for ETW provider tampering commands, crash dump disabling via registry, and syslog service shutdown. Categorizes detections by blocking type for triage prioritization.

Data Sources

Sumo Logic Installed Collector (Windows Sysmon)Sumo Logic Installed Collector (Linux syslog)Sumo Logic Cloud SIEM (CSE)

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=linux/syslog

False Positives & Tuning

  • Windows Defender or third-party AV products that adjust ETW providers during live response or threat remediation actions
  • DevOps pipelines running logman.exe as part of automated performance trace collection in CI/CD environments
  • Linux configuration management (Chef, Puppet, Ansible) that stops and restarts syslog services during convergence runs
Download portable Sigma rule (.yml)

Other platforms for T1562.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop ETW Trace Session with logman

    Expected signal: Sysmon Event ID 1: logman.exe with CommandLine 'stop EventLog-Application -ets'.

  2. Test 2Disable Crash Dumps via Registry

    Expected signal: Sysmon Event ID 13: Registry value set for CrashControl\CrashDumpEnabled=0. Sysmon Event ID 1: reg.exe process creation.

  3. Test 3Stop rsyslog Service on Linux

    Expected signal: Auditd execve record for systemctl stop rsyslog. Syslog may capture its own stop (depending on timing). MDE DeviceProcessEvents if deployed.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1055Process InjectionT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections