ETW Logging Tamper In .NET Processes

 1title: ETW Logging Tamper In .NET Processes
 2id: 41421f44-58f9-455d-838a-c398859841d4
 3status: test
 4description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
 5references:
 6    - https://twitter.com/_xpn_/status/1268712093928378368
 7    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
 8    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
 9    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
10    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
11    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
12    - https://bunnyinside.com/?term=f71e8cb9c76a
13    - http://managed670.rssing.com/chan-5590147/all_p1.html
14    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
15    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
16author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
17date: 2020/05/02
18modified: 2022/12/09
19tags:
20    - attack.defense_evasion
21    - attack.t1562
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection:
27        CommandLine|contains:
28            - 'COMPlus_ETWEnabled'
29            - 'COMPlus_ETWFlags'
30    condition: selection
31falsepositives:
32    - Unlikely
33level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr

  
  Read More

• runtime/docs/design/coreclr/jit/viewing-jit-dumps.md at ee2355c801d892f2894b0f7b14a20e6cc50e0e54 · dotnet/runtime

  

  .NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps. - dotnet/runtime

  
  Read More

• runtime/src/coreclr/src/inc/clrconfigvalues.h at f62e93416a1799aecc6b0947adad55a0d9870732 · dotnet/runtime

  

  .NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps. - dotnet/runtime

  
  Read More

• runtime/src/coreclr/src/inc/clrconfig.h at 7abe42dc1123722ed385218268bb9fe04556e3d3 · dotnet/runtime

  

  .NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps. - dotnet/runtime

  
  Read More

• Build software better, together

  

  GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.

  
  Read More

• https://bunnyinside.com/?term=f71e8cb9c76a

  
  Read More

• JIT, NGen, and other Managed Code Generation Stuff

  Introduction One argument often made by those who dislike managed code is along the lines of “managed code can never be as fast as native code, because managed code has to do array bounds checks.” ...

  
  Read More

• runtime/docs/coding-guidelines/clr-jit-coding-conventions.md at 4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723 · dotnet/runtime

  

  .NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps. - dotnet/runtime

  
  Read More

• ´o b¡ó2jx¦@¬rOJiÜ—-„’F“»ST€À‘ňŒf�aÔ±n”nÃD…™ÑÛ(0)ˆ¶àS?‹œÑ>2Gn;$¬8ºÄì¨r¾´ÄC$›IÀ4ç�UÍ0E!­´ðˆ[“‘Bij7 .æ£!£8 Ùø 8¦$QË�ÍŠp™9NîÕ"ˆ {ØOr.שµº´¤‡ÆÚ—ÍŽÙ FËç�j'…bÛ�ùëTÙ‹šžd¶4Psw{...

  
  Read More

Related rules

• Sysmon Driver Unloaded Via Fltmc.EXE
• Suspicious Registry Key Added: LanmanServer Parameters
• Suspicious Registry Key Set (MaxMpxCt)
• Powershell MS Defender Tampering - ScriptBlockLogging
• ETW Logging Disabled In .NET Processes - Registry