This note documents detection patterns related to ETW Tampering within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects tampering tool or loader execution. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for ETW bypass chains. |
| Sysmon | 10 | Process access | Critical | Memory access into telemetry-producing processes. |
| Sysmon | 7 | Image loaded | High | Suspicious helper DLLs or loaders. |
| PowerShell | 4104 | Script block logging | High | Reflection-based ETW patch attempts may appear. |
| Sysmon | 11 | File create | Medium | Loader staged before tampering. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Known ETW strings | EtwEventWrite, ntdll, clr.dll | Critical | Classic patch footprint. |
| Sudden telemetry reduction | Logging stops after suspicious code | Critical | Operational symptom. |
| Memory write to ntdll / clr | Patch target | Critical | Strong evasion clue. |
| Reflection patch in PowerShell | ETW disable in managed runtime | Critical | Common operator pattern. |
| Loader then payload with weak logs | Strong sequence | High | High-confidence clue. |
| ETW bypass adjacent to AMSI bypass | Common pairing | Critical | Framework behavior |
Common Tools
| Tool | Usage |
|---|---|
| PowerShell loaders | Reflection ETW patch |
| Cobalt Strike | ETW suppression |
| custom loaders | In-memory ETW patching |
| .NET implants | clr ETW tampering |
Relevant Artifacts
- Security Event ID 4688
- Sysmon Event IDs 1, 10, 7, 11
- PowerShell 4104
- Strings:
EtwEventWriteclr.dllntdll.dll
- Memory patch context
- EDR telemetry drop
MITRE ATT&CK References
- T1562.001 Impair Defenses
Decision Tree
-
Which process?
- powershell
- loader
- implant
-
Which patch target?
- ntdll
- clr
- managed ETW path
-
Strings observed?
- EtwEventWrite
- patch bytes
-
Follow-on execution?
- Injection
- Beacon
- Script
-
Expand:
- AMSI bypass
- Defender tampering
- Loader chain
-
Scope:
- Single patch
- Framework behavior
- Campaign pattern
Example Detection Templates
KQL
PowerShell
| where EventID == 4104
| where ScriptBlockText has_any ("EtwEventWrite","clr.dll","ntdll")
| project TimeGenerated, Computer, ScriptBlockText
Sysmon
| where EventID == 10
| project TimeGenerated, Computer, SourceImage, TargetImage, GrantedAccess
EQL
process where process.command_line like "*EtwEventWrite*"
sequence by host.name with maxspan=5m
[ process where process.name == "powershell.exe" ]
[ process where process.command_line like "*Etw*" ]
Sigma
title: ETW Tampering Detection
id: 3f8a2d15-etw-tampering
status: experimental
description: Detects common ETW tampering strings
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: powershell
detection:
selection:
ScriptBlockText|contains:
- 'EtwEventWrite'
- 'clr.dll'
- 'ntdll'
condition: selection
fields:
- ScriptBlockText
falsepositives:
- Security research
level: high
tags:
- attack.defense_evasion
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Preserve 4104 | Critical visibility | Critical | Core signal |
| Watch memory patching | Strong evasion clue | Critical | High-value |
| Correlate with AMSI bypass | Framework detection | Critical | Strong triage |
| Alert on ETW strings | Low false positives | High | Valuable enrichment |
| EDR memory analytics | Catch patching | Critical | Best coverage |