Rule Info
Name
Important ETW Provider Has Been Unregistered
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects important or critical ETW providers that have been unregistered.
Attackers might unregister a certain provider in order to evade defenses or blind security monitoring tooling.
Reference
Internal Research
Date
2024-03-13 00:00:00
Modified
None
Id
cffe21b6-59f1-41f4-bce7-4129f1eaebe3
Tags
attack.defense_evasion
Type
Nextron Sigma feed only (private)
Rule History
Scan your endpoints, forensic images or collected files with our portable scanner THOR