Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE | Standard | Windows | Defense Evasion: Indicator Removal - Clear Windows Event Logs (T1070.001),"Defense Evasion: Impair Defenses - Disable or Modify Tools (T1562.001)" | Critical |
About the rule
Rule Type
Standard
Rule Description
Detects the execution of ""logman"" utility in order to disable or delete Windows trace sessions
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Privilege escalation → Reconnaissance phase → ETW tampering → Log deletion → Stealth persistence
Impact
- Logging evasion
- Audit disruption
- Stealth operations
- Forensic obstruction
Rule Requirement
Prerequisites
- Using Windows event viewer:
To enable detailed process tracking, log in to the domain controller with domain admin credentials and open the Group Policy Management Console (GPMC). Create or modify a GPO linked to the relevant OU and navigate to the Detailed Tracking section under Audit Policies. Enable Audit Process Creation and Audit Process Termination by selecting the Success checkbox in each setting. For deeper visibility, enable command line logging by setting "Include command line in process creation events" to Enabled. Additionally, ensure the registry key Microsoft-Windows-Security-Auditing/Operational exists under the EventLog directory.
- Using Sysmon:
Download and install Sysmon from Microsoft Sysinternals, and run it with administrator privileges using a configuration file that enables process creation monitoring. Install Sysmon with the command sysmon.exe -i [configfile.xml], and ensure your config captures all process creation events. Finally, create the registry key Microsoft-Windows-Sysmon/Operational under the EventLog directory if it doesn’t already exist.
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\logman.exe" OR ORIGINALFILENAME = "Logman.exe") AND COMMANDLINE contains "stop ,delete " AND COMMANDLINE contains "Circular Kernel Context Logger,EventLog-,SYSMON TRACE,SysmonDnsEtwSession" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
- Defense Evasion: Indicator Removal - Clear Windows Event Logs (T1070.001)
- Defense Evasion: Impair Defenses - Disable or Modify Tools (T1562.001)
Security Standards
Enabling this rule will help you meet the security standard's requirements listed below:
- SI-4: System Monitoring
Ensure continuous monitoring to detect attacks and indicators of compromise.
Triggering this rule helps identify attempts to disable logging, ensuring critical monitoring mechanisms remain active. - AU-6: Audit Review, Analysis, and Reporting
Mandates timely review and analysis of audit records for indications of inappropriate or unusual activity.
Triggering this rule highlights potential tampering with audit mechanisms, supporting deeper review and correlation. - AU-12: Audit Generation
Requires systems to generate audit records for defined events.
Triggering this rule detects actions that could prevent audit generation, maintaining logging integrity. - SI-7: Software, Firmware, and Information Integrity
Ensures the integrity of security functions, including logs and monitoring tools.
Triggering this rule alerts on modifications that could degrade system integrity, such as disabling trace sessions. - IR-5: Incident Monitoring
Supports detection of security incidents through event and incident data collection.
Triggering this rule provides visibility into tampering that may precede or follow an incident. - AU-14: Session Audit
Ensures mechanisms are in place to monitor session activity and record relevant audit data.
Triggering this rule detects attempts to stop session-level trace logging, safeguarding audit coverage.
Author
Florian Roth (Nextron Systems)
Future actions
Known False Positives
This rule will be triggered when administrative staff legitimately deactivate services for maintenance or configuration purposes.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Containment: Isolate the affected host to prevent further disruption of monitoring services or potential lateral movement.
- Recovery: Re-enable or recreate the tampered ETW trace sessions and restore logging configurations to resume normal auditing.
Mitigation
Mitigation IDs | Mitigation name | Description |
M1041 | Encrypt Sensitive Information | Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. |
M1029 | Remote Data Storage | Forward events to a centralized log server or data repository to reduce the risk of local tampering by adversaries. Wherever feasible, minimize delays in event transmission to limit the duration data remains on the local system. |
M1022 | Restrict File and Directory Permissions | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
M1038 | Execution Prevention | Implement application control to restrict the execution of unauthorized tools, especially those like rootkit removal utilities that can be misused to weaken system defenses. Ensure only vetted and approved security applications are allowed to run across enterprise systems. |
M1024 | Restrict Registry Permissions | Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services. |
M1018 | User Account Management | Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services. |
