This detection rule identifies the disabling of Event Tracing for Windows (ETW) logging in .NET processes. Successful logging through ETW is critical for monitoring and debugging .NET applications, as it records activities such as method calls and exceptions. Adversaries may manipulate the registry to stop ETW providers from recording vital information regarding loaded .NET assemblies, which can hinder incident response and forensic analysis. The rule specifically looks for changes in the Windows registry that set the value of 'ETWEnabled' to 0 in the .NET Framework registry path as well as for the 'COMPlus_ETWEnabled' and 'COMPlus_ETWFlags' registry values. By monitoring these changes, defenders can identify potential tampering with the configuration that could be indicative of malicious activity.