ETW Logging Tamper In .NET Processes
Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
Sigma rule (View on GitHub)
1title: ETW Logging Tamper In .NET Processes
2id: 41421f44-58f9-455d-838a-c398859841d4
3status: test
4description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
5references:
6 - https://twitter.com/_xpn_/status/1268712093928378368
7 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
8 - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
9 - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
10 - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
11 - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
12 - https://bunnyinside.com/?term=f71e8cb9c76a
13 - http://managed670.rssing.com/chan-5590147/all_p1.html
14 - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
15 - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
16author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
17date: 2020/05/02
18modified: 2022/12/09
19tags:
20 - attack.defense_evasion
21 - attack.t1562
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection:
27 CommandLine|contains:
28 - 'COMPlus_ETWEnabled'
29 - 'COMPlus_ETWFlags'
30 condition: selection
31falsepositives:
32 - Unlikely
33level: high
References
Related rules
- Sysmon Driver Unloaded Via Fltmc.EXE
- Suspicious Registry Key Added: LanmanServer Parameters
- Suspicious Registry Key Set (MaxMpxCt)
- Powershell MS Defender Tampering - ScriptBlockLogging
- ETW Logging Disabled In .NET Processes - Registry