ETW Logging Tamper In .NET Processes Via CommandLine

 1title: ETW Logging Tamper In .NET Processes Via CommandLine
 2id: 41421f44-58f9-455d-838a-c398859841d4
 3status: test
 4description: |
 5    Detects changes to environment variables related to ETW logging via the CommandLine.
 6    This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.    
 7references:
 8    - https://twitter.com/_xpn_/status/1268712093928378368
 9    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
10    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
11    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
12    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
13    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
14    - https://bunnyinside.com/?term=f71e8cb9c76a
15    - http://managed670.rssing.com/chan-5590147/all_p1.html
16    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
17    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
18author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
19date: 2020-05-02
20modified: 2022-12-09
21tags:
22    - attack.defense-evasion
23    - attack.t1562
24logsource:
25    category: process_creation
26    product: windows
27detection:
28    selection:
29        CommandLine|contains:
30            - 'COMPlus_ETWEnabled'
31            - 'COMPlus_ETWFlags'
32    condition: selection
33falsepositives:
34    - Unlikely
35level: high

References

• x.com

  
  Read More

• https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr

  
  Read More

• runtime/docs/design/coreclr/jit/viewing-jit-dumps.md at ee2355c801d892f2894b0f7b14a20e6cc50e0e54 · dotnet/runtime

  

  .NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps. - dotnet/runtime

  
  Read More

• runtime/src/coreclr/src/inc/clrconfigvalues.h at f62e93416a1799aecc6b0947adad55a0d9870732 · dotnet/runtime

  

  .NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps. - dotnet/runtime

  
  Read More

• runtime/src/coreclr/src/inc/clrconfig.h at 7abe42dc1123722ed385218268bb9fe04556e3d3 · dotnet/runtime

  

  .NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps. - dotnet/runtime

  
  Read More

• Build software better, together

  

  GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.

  
  Read More

• https://bunnyinside.com/?term=f71e8cb9c76a

  
  Read More

• JIT, NGen, and other Managed Code Generation Stuff

  Introduction One argument often made by those who dislike managed code is along the lines of “managed code can never be as fast as native code, because managed code has to do array bounds checks.” ...

  
  Read More

• runtime/docs/coding-guidelines/clr-jit-coding-conventions.md at 4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723 · dotnet/runtime

  

  .NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps. - dotnet/runtime

  
  Read More

• ´o b¡ó2jx¦@¬rOJiÜ—-„’F“»ST€À‘ňŒf�aÔ±n”nÃD…™ÑÛ(0)ˆ¶àS?‹œÑ>2Gn;$¬8ºÄì¨r¾´ÄC$›IÀ4ç�UÍ0E!­´ðˆ[“‘Bij7 .æ£!£8 Ùø 8¦$QË�ÍŠp™9NîÕ"ˆ {ØOr.שµº´¤‡ÆÚ—ÍŽÙ FËç�j'…bÛ�ùëTÙ‹šžd¶4Psw{...

  
  Read More

Related rules

• AWS SecurityHub Findings Evasion
• Azure Kubernetes Events Deleted
• ETW Logging Disabled For SCM
• ETW Logging Disabled For rpcrt4.dll
• ETW Logging Disabled In .NET Processes - Registry