ETW Logging Disabled In .NET Processes - Registry

calendar Aug 12, 2024 · attack.defense-evasion attack.t1112 attack.t1562  ·
Share on: linkedin copy

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Sigma rule (View on GitHub)

 1title: ETW Logging Disabled In .NET Processes - Registry
 2id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
 3related:
 4    - id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
 5      type: similar
 6status: test
 7description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
 8references:
 9    - https://twitter.com/_xpn_/status/1268712093928378368
10    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
11    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
12    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
13    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
14    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
15    - https://bunnyinside.com/?term=f71e8cb9c76a
16    - http://managed670.rssing.com/chan-5590147/all_p1.html
17    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
18    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
19author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
20date: 2020-06-05
21modified: 2022-12-20
22tags:
23    - attack.defense-evasion
24    - attack.t1112
25    - attack.t1562
26logsource:
27    product: windows
28    service: security
29detection:
30    selection_etw_enabled:
31        EventID: 4657
32        ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
33        ObjectValueName: 'ETWEnabled'
34        NewValue: 0
35    selection_complus:
36        EventID: 4657
37        ObjectName|contains: '\Environment'
38        ObjectValueName:
39            - 'COMPlus_ETWEnabled'
40            - 'COMPlus_ETWFlags'
41        NewValue: 0
42    condition: 1 of selection_*
43falsepositives:
44    - Unknown
45level: high

References

Related rules

to-top