Detection rules › Splunk
ETW Trace Provider Modified - PowerShell (PowerShell)
Event Tracing for Windows (ETW) trace providers are components that generate events for logging allowing for monitoring and diagnosis of Windows system and application behaviors. Threat actors may alter ETW trace provides to modify or disable logging capabilities, thereby evading detection and maintaining persistence in a compromised system. This use case detects commands targeting ETW providers, specifically targeting events related to adding or modifying event trace providers.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1070 Indicator Removal, T1562.006 Impair Defenses: Indicator Blocking |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '31175.55799'
title: ETW Trace Provider Modified - PowerShell
description: Event Tracing for Windows (ETW) trace providers are components that generate
events for logging allowing for monitoring and diagnosis of Windows system and application
behaviors. Threat actors may alter ETW trace provides to modify or disable logging
capabilities, thereby evading detection and maintaining persistence in a compromised
system. This use case detects commands targeting ETW providers, specifically targeting
events related to adding or modifying event trace providers.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR
"<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") (TERM(Remove-EtwTraceProvider)
OR (TERM(Set-EtwTraceProvider) "0x11")) OR ("System.Management.Automation.Tracing.PSEtwLogProvider"
"m_enabled") | table _time, host, user, parent_process_name, process_name, process
| bin span=1s | stats values(*) as * by _time, host '
techniques:
- defense-evasion:impair defenses:indicator blocking
- defense-evasion:indicator removal
technique_id:
- T1562.006
- T1070
data_category:
- PowerShell logs
references:
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://gist.github.com/tandasat/e595c77c52e13aaee60e1e8b65d2ba32
- https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_etw_trace_evasion/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR "<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") (TERM(Remove-EtwTraceProvider) OR (TERM(Set-EtwTraceProvider) "0x11")) OR ("System.Management.Automation.Tracing.PSEtwLogProvider" "m_enabled")
Stage 2: table
| table _time, host, user, parent_process_name, process_name, process
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4103<" |
| 1 | TERM |
| 1 | "<EventID>4104<" |
| 1 | "Remove-EtwTraceProvider" |
| 1 | "Set-EtwTraceProvider" |
| 1 | "0x11" |
| 1 | "System.Management.Automation.Tracing.PSEtwLogProvider" |
| 1 | "m_enabled" |