MITRE ATT&CK Technique
Defense Evasion T1054
Description

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1086) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the registry to make alterations. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.

Supported Platforms
Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2017-05-31T21:30:47.384Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'An adversary may attempt to block indicators or events '
                'typically captured by sensors from being gathered and '
                'analyzed. This could include maliciously redirecting '
                '(Citation: Microsoft Lamin Sept 2017) or even disabling '
                'host-based sensors, such as Event Tracing for Windows '
                '(ETW),(Citation: Microsoft About Event Tracing 2018) by '
                'tampering settings that control the collection and flow of '
                'event telemetry. (Citation: Medium Event Tracing Tampering '
                '2018) These settings may be stored on the system in '
                'configuration files and/or in the Registry as well as being '
                'accessible via administrative utilities such as '
                '[PowerShell](https://attack.mitre.org/techniques/T1086) or '
                '[Windows Management '
                'Instrumentation](https://attack.mitre.org/techniques/T1047).\n'
                '\n'
                'ETW interruption can be achieved multiple ways, however most '
                'directly by defining conditions using the PowerShell '
                'Set-EtwTraceProvider cmdlet or by interfacing directly with '
                'the registry to make alterations.\n'
                '\n'
                'In the case of network-based reporting of indicators, an '
                'adversary may block traffic associated with reporting to '
                'prevent central analysis. This may be accomplished by many '
                'means, such as stopping a local process responsible for '
                'forwarding telemetry and/or creating a host-based firewall '
                'rule to block traffic to specific hosts responsible for '
                'aggregating events, such as security information and event '
                'management (SIEM) products. ',
 'external_references': [{'external_id': 'T1054',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1054'},
                         {'external_id': 'CAPEC-571',
                          'source_name': 'capec',
                          'url': 'https://capec.mitre.org/data/definitions/571.html'},
                         {'description': 'Microsoft. (2009, May 17). '
                                         'Backdoor:Win32/Lamin.A. Retrieved '
                                         'September 6, 2018.',
                          'source_name': 'Microsoft Lamin Sept 2017',
                          'url': 'https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A'},
                         {'description': 'Microsoft. (2018, May 30). About '
                                         'Event Tracing. Retrieved June 7, '
                                         '2019.',
                          'source_name': 'Microsoft About Event Tracing 2018',
                          'url': 'https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events'},
                         {'description': 'Palantir. (2018, December 24). '
                                         'Tampering with Windows Event '
                                         'Tracing: Background, Offense, and '
                                         'Defense. Retrieved June 7, 2019.',
                          'source_name': 'Medium Event Tracing Tampering 2018',
                          'url': 'https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63'}],
 'id': 'attack-pattern--6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:54.658Z',
 'name': 'Indicator Blocking',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Rob Smith'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About