Important ETW Provider Has Been Unregistered

Rule Info

Name
Important ETW Provider Has Been Unregistered
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects important or critical ETW providers that have been unregistered. Attackers might unregister a certain provider in order to evade defenses or blind security monitoring tooling.
Reference
Internal Research
Date
2024-03-13 00:00:00
Modified
None
Id
cffe21b6-59f1-41f4-bce7-4129f1eaebe3
Tags
attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History