title: Indicator Blocking (T1562.006)
id: df00tech-t1562-006
status: experimental
description: "Adversaries may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This includes tampering with Event Tracing for Windows (ETW), disabling crash dumps, modifying syslog configuration, redirecting telemetry, or blocking network traffic to SIEM/logging infrastructure. ETW tampering is particularly impactful as many security tools depend on ETW providers for visibility."
references:
  - https://attack.mitre.org/techniques/T1562/006/
  - https://df00tech.com/detections/T1562.006
author: df00tech
date: 2026/04/21
tags:
  - attack.t1562.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Performance engineers using logman to manage ETW trace sessions for diagnostics
  - System administrators configuring crash dump settings for disk space management on servers
  - Security teams intentionally modifying ETW providers during tuning or testing
level: high