This detection rule targets the use of PowerShell cmdlets that are associated with disabling or removing Event Tracing for Windows (ETW) trace sessions. ETW is a crucial Windows feature for logging events and system behaviors, and its tampering can indicate malicious activity aimed at evading detection mechanisms. The rule leverages the presence of specific cmdlets in PowerShell's ScriptBlockText to identify possible attempts to manipulate or disable ETW tracing. The rule considers two key cmdlets: 'Remove-EtwTraceProvider' and 'Set-EtwTraceProvider' with specific parameters indicating an attempt to stop tracing. The condition for triggering the alert is based on the presence of either cmdlet in the PowerShell execution context. Because removing ETW traces can seriously undermine the security posture of a system, indicating successful execution of such actions is categorized at a high severity level.