// introduction
The Architecture That Trusts Its Own Inputs
Every SIEM-based detection architecture rests on a foundational assumption that is almost never stated explicitly: the log pipeline is honest. Events generated at the endpoint arrive at the SIEM intact, complete, and unmodified. This assumption is structurally embedded in how detection works, rules fire on events that arrive; rules do not fire on events that were suppressed, corrupted, or delayed. The absence of events looks identical to the absence of activity.
Log pipeline manipulation appears in real intrusion post-mortems. The Carbanak campaign manipulated Windows Event Logs during banking sector intrusions. HAFNIUM cleared IIS and Event Logs on compromised Exchange servers before IR teams arrived. BlackByte ransomware used BYOVD to terminate EDR processes at kernel level before payload deployment. Lazarus Group unloaded Sysmon drivers and modified audit policy before credential theft operations. In every case, pipeline manipulation occurred in the middle of the intrusion, after persistence was established, before the highest-risk activity. It is deliberate operational security, not opportunism.
Defenders must protect every stage of the pipeline. Attackers need to compromise only one to create a blind spot covering all downstream detection. Every stage left of the detection layer is an attack surface, and each stage failure is invisible to the detection layer because it only sees what arrives, not what was lost.
// architecture
The Pipeline as an Attack Surface
ETW Sysmon auditdWindows Event Log journaldWEF Winlogbeat FluentdSyslog HTTPS KafkaSIEM parser Field extraction// threat catalog
Seven Pipeline Manipulation Techniques
Clearing Security, System, or Application log channels via wevtutil cl, PowerShell Clear-EventLog, or direct API. Generates EID 1102 (Security log cleared) and EID 104 (System log cleared), but only if those channels are being forwarded before the clear occurs.
wevtutil cl Security
wevtutil cl "Microsoft-Windows-Sysmon/Operational"If the attacker clears the Sysmon operational log before WEF or the collection agent has forwarded events, the clearing event (EID 104) is generated but the pre-clearing events are permanently lost. Detection of the clear does not recover what was cleared.
Rather than clearing logs after generation, disabling the providers that generate telemetry, no events are produced, so no clearing artifact exists. Sysmon can be stopped as a service, its driver unloaded, or its config modified to exclude specific event types.
sc stop Sysmon64
fltMC unload SysmonDrv
logman stop "EventLog-Security" -etsSysmon service stop generates a System event, but only if System log forwarding is active and the collection agent is still running. If the agent is stopped first, the Sysmon stop event is generated locally and never forwarded. Sequence matters: agent first, then provider.
Killing Winlogbeat, NXLog, Fluentd, or the WEF subscription service stops forwarding without generating any event in the channels being forwarded. Events continue to be written locally but are never transmitted. From the SIEM's perspective, the host goes silent, indistinguishable from offline or network interruption.
taskkill /F /IM winlogbeat.exe
Stop-Service -Name "winlogbeat" -ForceThe SIEM receives no forwarding heartbeat and no explicit "agent stopped" event. Most SIEM deployments have no host-silence alerting that distinguishes "agent stopped by attacker" from "host rebooted" from "network issue."
Modern ransomware groups target EDR agents before payload deployment, process termination, driver unloading, or exploiting EDR vulnerabilities to disable kernel callbacks. BYOVD (Bring Your Own Vulnerable Driver) uses a legitimate but vulnerable signed driver to gain kernel-level access and blind EDR sensors. Used by Lazarus Group, BlackByte, and others.
BYOVD attacks use signed, legitimate drivers, no signature detection fires. The EDR is blinded before it can report its own compromise. Only pre-existing network telemetry or out-of-band monitoring survives.
Flood the pipeline with high-volume low-fidelity events to bury malicious activity in noise, trigger SIEM ingestion rate limits, or exhaust log storage quotas causing rollover of older events, overwriting evidence before forwarding occurs.
SIEM storage quotas and ingestion rate limits are designed for cost control, not security. Most deployments drop or sample events above the ingestion rate limit, an attacker who knows the rate limit can generate noise above it, causing targeted event types to be dropped by the SIEM's own cost controls.
Windows audit policy controls which event categories are generated. Disabling process creation auditing (suppressing EID 4688) or logon auditing (suppressing EIDs 4624/4625) eliminates entire event categories silently. The policy change itself generates EID 4719, but only if policy change auditing is still enabled.
auditpol /set /subcategory:"Process Creation" /success:disable /failure:disable
auditpol /set /subcategory:"Logon" /success:disableAttackers who disable audit policy change auditing first, then disable target categories, produce no audit trail of either action. Correct control: monitor auditpol.exe execution via Sysmon EID 1, which is independent of Windows audit policy configuration.
SIEM ingestion parsers extract fields from log events, malformed events can cause field extraction failures, event drops, or incorrect field mappings. An attacker who understands the target SIEM's parser behavior can craft events that arrive but fail to match detection rules because critical fields are missing, null, or mapped incorrectly.
Parser failures are logged as ingestion errors, not security events. Most SOC teams never review ingestion error rates, they are treated as operational noise by the platform team and security noise by the SOC team. Nobody owns them.
// remediation
Telemetry Integrity Controls: Stage by Stage
Integrity controls must be applied at every stage. A control that protects event generation but not the collection agent is defeated by T03. A control that protects the agent but not the transport is defeated by T05.
auditpol.exe execution detection via Sysmon EID 1 independent of audit policyAnomalous silence detection: the most impactful single control
Every active host generates a predictable minimum volume of security events. A host that is network-active but generating zero security events is anomalous. Implementation: establish per-host expected daily event volume baseline; alert on hosts confirmed network-active via NetFlow or firewall logs that are below the minimum event volume threshold for a defined period. Network activity without log activity is the signature of pipeline suppression, the host is doing things but the SIEM cannot see them.
// detection rules
Detecting Pipeline Manipulation Directly
EID 1102 OR EID 104
InitiatingProcess NOT IN approved_admin_toolingThis rule must be hosted in a log source separate from the logs being cleared. Forward EID 1102 and 104 via an independently configured forwarding path as a compensating control.
System EID 7036
ServiceName: CONTAINS "Sysmon"
StoppingProcess: NOT IN approved_maintenance_listThis event is in the System log, not the Sysmon Operational log, it survives Sysmon log clearing. Supplement with Sysmon EID 1 monitoring for sc.exe and fltMC.exe with Sysmon-related arguments.
Sysmon EID 1
Image: "*\\auditpol.exe"
CommandLine: CONTAINS "/set" AND "disable"Functions regardless of whether Windows audit policy change auditing (EID 4719) is enabled, Sysmon process creation monitoring is independent of audit policy configuration.
Sysmon EID 5 (process terminated)
Image: MATCHES collection_agent_process_names
(winlogbeat.exe, nxlog.exe, fluentd, etc.)If Sysmon is stopped before the collection agent, EID 5 for agent termination is never generated. The correct architecture is Sysmon PPL plus collection agent monitoring independent of Sysmon.
For each host in monitored_inventory:
IF no events received for > N minutes
AND host confirmed network-active (NetFlow / DHCP / firewall)
THEN alert, anomalous silence with active network presenceStart threshold at 60 minutes to reduce noise from reboots and maintenance. The independent network activity confirmation is non-negotiable, host silence without network activity is just an offline host.
// conclusion
The Pipeline Is Part of the Attack Surface
Detection engineering focuses on what the SIEM sees. Pipeline integrity is about ensuring the SIEM sees what it should, and knowing when it doesn't. The organizations most exposed to pipeline manipulation are those who have invested heavily in detection logic and nothing in telemetry integrity. They have built a sophisticated analysis layer on top of a pipeline that an attacker with local admin can silence in three commands.
The closing question: if an attacker stopped your Sysmon service, cleared your Windows Event Logs, and killed your collection agent right now, how long before your SOC noticed? If the answer is "when the next alert fires", your detection architecture has no floor.
MITRE ATT&CK T1070 (Indicator Removal) sub-techniques; Sysmon PPL documentation (Sysinternals); BlackByte BYOVD analysis (Sophos X-Ops); Mandiant M-Trends reporting on log manipulation in intrusions; CISA guidance on logging and log integrity.