0xtf/3cs-rule-example.yaml

## 3cs-rule-example.yaml
title: Windows ETW Tampering
id: 29d02e66-cc4e-4cd4-8fd3-7e729e1a230d
status: experimental
description: Detects commands that remove, disable, stop or tamper tracing sessions relevant to security.
author: 3CORESec
date: 2020/11/16
references:
    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
    - https://github.com/Neo23x0/sigma/blob/8f6ad7df6b7f099db4bc1e867c4614074ea57e87/rules/windows/process_creation/win_etw_trace_evasion.yml
tags:
    - attack.defense_evasion
    - attack.t1562.006
    - car.2016-04-002
level: high
logsource:
    category: process_creation
    product: windows
detection:
    etw_removal: #Autologger provider removal
        CommandLine|contains|all:
          - 'Remove-EtwTraceProvider'
    provider_enable_modification: #Provider Enable property modification
        CommandLine|contains|all:
          - 'Set-EtwTraceProvider'
          - '0x11'
    provider_removal: #ETW provider removal from a trace session
        CommandLine|contains|all:
          - "update"
          - "trace"
          - "--p"
          - "-ets"
    etw_logman_stop:
        CommandLine|contains|all:
          - "stop"
          - "-ets"
    logs_security:
        CommandLine|contains:
          - "EventLog-Microsoft-Windows-WMI-Activity-Trace"
          - "EventLog-Microsoft-Windows-Sysmon-Operational"
          - "EventLog-Application"
          - "Microsoft-Windows-PowerShell"
          - "{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}" #WMI
          - "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" #Sysmon
          - "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" #Powershell
    condition: (etw_removal and logs_security) or (provider_enable_modification and logs_security) or (provider_removal and logs_security) or (etw_logman_stop and logs_security)
falsepositives:
    - Unknown
siemtags:
    - windows
notes:
    - windows/win_etw_tamper.md
sigma:
  backend-option:
    keyword_field:
      - ""
siegma:
  config:
    settings:
      language: lucene
	title: Windows ETW Tampering
	id: 29d02e66-cc4e-4cd4-8fd3-7e729e1a230d
	status: experimental
	description: Detects commands that remove, disable, stop or tamper tracing sessions relevant to security.
	author: 3CORESec
	date: 2020/11/16
	references:
	- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
	- https://github.com/Neo23x0/sigma/blob/8f6ad7df6b7f099db4bc1e867c4614074ea57e87/rules/windows/process_creation/win_etw_trace_evasion.yml
	tags:
	- attack.defense_evasion
	- attack.t1562.006
	- car.2016-04-002
	level: high
	logsource:
	category: process_creation
	product: windows
	detection:
	etw_removal: #Autologger provider removal
	CommandLine\|contains\|all:
	- 'Remove-EtwTraceProvider'
	provider_enable_modification: #Provider Enable property modification
	CommandLine\|contains\|all:
	- 'Set-EtwTraceProvider'
	- '0x11'
	provider_removal: #ETW provider removal from a trace session
	CommandLine\|contains\|all:
	- "update"
	- "trace"
	- "--p"
	- "-ets"
	etw_logman_stop:
	CommandLine\|contains\|all:
	- "stop"
	- "-ets"
	logs_security:
	CommandLine\|contains:
	- "EventLog-Microsoft-Windows-WMI-Activity-Trace"
	- "EventLog-Microsoft-Windows-Sysmon-Operational"
	- "EventLog-Application"
	- "Microsoft-Windows-PowerShell"
	- "{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}" #WMI
	- "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" #Sysmon
	- "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" #Powershell
	condition: (etw_removal and logs_security) or (provider_enable_modification and logs_security) or (provider_removal and logs_security) or (etw_logman_stop and logs_security)
	falsepositives:
	- Unknown
	siemtags:
	- windows
	notes:
	- windows/win_etw_tamper.md
	sigma:
	backend-option:
	keyword_field:
	- ""
	siegma:
	config:
	settings:
	language: lucene