This detection rule targets potential modifications to Event Tracing for Windows (ETW) trace providers via PowerShell commands. Since ETW is crucial for logging events in Windows environments, tampering with these providers can allow threat actors to evade detection by disabling or altering logging capabilities. The rule identifies the execution of specific PowerShell commands, such as `Remove-EtwTraceProvider` and `Set-EtwTraceProvider`, particularly with parameters that may indicate attempts to manipulate trace logging behavior. By monitoring these actions, the rule helps indicate attempts at defense evasion and persistence within a compromised system. To accomplish this, the rule uses Splunk queries that filter for event codes 4103 and 4104, associated with ETW provider activities. Analyzing this data can assist security teams in identifying possible malicious behaviors that involve manipulation of Windows logging mechanisms.