An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.
ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the registry to make alterations.
In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by any means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
Tactic: Defense Evasion
Data Sources: Sensor health and status, Process command-line parameters, Process monitoring
Defense Bypassed: Anti-virus, Log analysis, Host intrusion prevention systems
Restrict File and Directory Permissions: Ensure event tracers/forwarders, firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls.
Software Configuration: Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.
User Account Management: Ensure event tracers/forwarders, firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts.
Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data.
Depending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop, or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session.  To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers:
index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode=16) OR (EventCode IN (12,13) TargetObject=”HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger*”) OR (EventCode=1 Image=”*\\logman.exe” CommandLine=”*update trace*”) OR (EventCode=1 Image=”*\\wpr”) //tampering Event Tracing in windows
index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode=1 Image=”*\\logman.exe” CommandLine=”*query*”) OR (EventCode IN (12,13) TargetObject=”HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Publishers*”) // enumirating the ETW in windows with logman,exe
Reference: ATTACK & MITRE
You can also detect hidden windows with our previous free Splunk detection rule.
Secure Your Organization’s Mind with Securemind.se