{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/etw/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[".NETFramework","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["etw","registry","defense-evasion","windows","t1127","t1685"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThe detection identifies registry modifications that disable Event Tracing for Windows (ETW) for the .NET Framework. By modifying the \u003ccode\u003eETWEnabled\u003c/code\u003e registry value under the \u003ccode\u003e.NETFramework\u003c/code\u003e path, attackers can disable ETW, a crucial logging mechanism. This allows them to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. Disabling ETW can allow attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. This technique is a form of defense evasion and can be used in conjunction with other malicious activities to maintain a stealthy presence on the system. The referenced Splunk detection \u003ccode\u003eetw_registry_disabled.yml\u003c/code\u003e version 17 provides the basis for identifying this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the system, possibly through phishing, exploitation of a vulnerability, or compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Needed):\u003c/strong\u003e The attacker escalates privileges to gain the necessary permissions to modify registry keys, if they do not already have them.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify ETW Configuration:\u003c/strong\u003e The attacker identifies the specific registry path for ETW configuration related to the .NET Framework: \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\.NETFramework\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModify Registry Value:\u003c/strong\u003e The attacker modifies the \u003ccode\u003eETWEnabled\u003c/code\u003e registry value under the identified path to \u003ccode\u003e0x00000000\u003c/code\u003e, effectively disabling ETW. This may involve using tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecute Malicious Actions:\u003c/strong\u003e With ETW disabled, the attacker executes malicious actions, such as deploying malware, performing lateral movement, or exfiltrating data. These actions are less likely to be logged or detected by security tools due to the disabled ETW.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMaintain Persistence:\u003c/strong\u003e The attacker establishes persistence mechanisms to maintain access to the system, ensuring that their access is not disrupted by system restarts or other events.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised system as a pivot point to move laterally to other systems within the network, potentially compromising additional resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker exfiltrates sensitive data from the compromised systems or performs other destructive actions, such as deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling ETW can significantly hinder the ability of security teams to detect and respond to malicious activity. If successful, attackers can operate undetected within the environment, potentially leading to data breaches, financial losses, and reputational damage. Successful exploitation could lead to widespread data exfiltration, system compromise, and deployment of ransomware, impacting all affected systems and potentially leading to significant business disruption. The CISA AA23-347A analytic story highlights the potential for data destruction and wiper malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 to monitor registry modifications, especially those targeting ETW-related registry keys.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ETW Registry Disabled\u003c/code\u003e to your SIEM and tune for your environment to detect potential ETW disabling attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eDetect ETW Registry Disabled\u003c/code\u003e rule to determine the legitimacy of the registry modifications.\u003c/li\u003e\n\u003cli\u003eReview and harden registry permissions to restrict unauthorized modifications, particularly to sensitive registry keys like those related to ETW configuration, to prevent unauthorized ETW disabling.\u003c/li\u003e\n\u003cli\u003eEnsure that the official Sysmon TA is at least version 2.0, as mentioned in the \u0026ldquo;How to Implement\u0026rdquo; section, to ensure proper log ingestion and parsing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"/briefs/2024-01-etw-registry-disabled/","summary":"Attackers may disable Event Tracing for Windows (ETW) for the .NET Framework by modifying the ETWEnabled registry value, allowing them to evade endpoint detection and response (EDR) tools and hide malicious activity.","title":"ETW Registry Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-etw-registry-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[".NETFramework","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","registry-modification","etw","ransomware","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers may attempt to disable Event Tracing for Windows (ETW) to evade detection mechanisms and make it more difficult for security tools to monitor malicious activities. This is often achieved by modifying specific registry keys associated with .NET Framework ETW settings. By setting the \u003ccode\u003eETWEnabled\u003c/code\u003e value to \u003ccode\u003e0x00000000\u003c/code\u003e, adversaries can effectively turn off ETW, allowing them to execute payloads with minimal alerting. This technique is often observed in ransomware and other advanced attacks where stealth and persistence are crucial for success. This activity is significant because disabling ETW impairs defenses and potentially leads to further compromise of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through various means such as phishing, exploitation of vulnerabilities, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker gains administrative privileges on the targeted system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line interface (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) or a scripting language to interact with the Windows Registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled\u003c/code\u003e (or a similar key) setting its value to \u003ccode\u003e0x00000000\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis modification disables ETW, preventing the system from logging certain events and activities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious code or payloads without being easily detected.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as data exfiltration, ransomware deployment, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of ETW allows attackers to operate with a significantly reduced risk of detection. This can lead to prolonged periods of undetected malicious activity, resulting in significant data breaches, financial losses, and reputational damage. Ransomware actors, in particular, benefit from this technique as it allows them to encrypt systems without triggering security alerts, maximizing their chances of a successful extortion attempt.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 to monitor registry modifications and detect changes to the \u003ccode\u003e*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\u003c/code\u003e registry path (data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect ETW Disabling Through Registry Modification\u0026rdquo; to your SIEM to identify potential ETW disabling attempts (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes modifying the specified registry keys (rules).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit who can modify registry settings (description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-disable-etw-registry/","summary":"Attackers may disable Event Tracing for Windows (ETW) by modifying specific registry keys to evade detection and hinder security monitoring, potentially leading to further system compromise.","title":"Detection of ETW Disabling via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-etw-registry/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","registry-modification","etw"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eAttackers may attempt to disable Event Tracing for Windows (ETW) for the .NET Framework to evade detection by security tools. This involves modifying the \u003ccode\u003eCOMPlus_ETWEnabled\u003c/code\u003e registry value to disable .NET ETW logging, preventing security products from monitoring .NET-based threats. The registry value is located under the \u0026ldquo;Environment\u0026rdquo; registry key path for both user (HKCU\\Environment) and machine (HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment) scopes. Disabling ETW allows attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. This technique has been observed across various threat actors aiming to evade EDR solutions, making it a critical concern for defenders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain administrative rights.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the registry key \u003ccode\u003eHKCU\\Environment\u003c/code\u003e or \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eCOMPlus_ETWEnabled\u003c/code\u003e registry value to \u003ccode\u003e0\u003c/code\u003e or \u003ccode\u003e0x00000000\u003c/code\u003e. This can be achieved through tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe system processes the registry change, effectively disabling .NET ETW logging.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious .NET code without generating ETW logs.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement and other malicious activities, evading detection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of .NET ETW logging can severely limit the visibility of security tools into malicious activities, allowing attackers to operate undetected. This can lead to prolonged compromises, data breaches, and ransomware infections. The impact is widespread as it affects any organization relying on .NET ETW for security monitoring. Disabling ETW could bypass many endpoint detection and response (EDR) solutions that rely on this logging, potentially impacting thousands of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 13 to monitor registry modifications, as this is the primary data source for detecting the described activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Dotnet ETW Disabled Via Registry\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any changes to the \u003ccode\u003eCOMPlus_ETWEnabled\u003c/code\u003e registry value, especially if initiated by unusual processes.\u003c/li\u003e\n\u003cli\u003eMonitor for command-line arguments used to modify registry keys via \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell, using the Sigma rule \u003ccode\u003eDetect Registry Modification via Command Line\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure that your Sysmon configuration is up to date and includes the necessary registry monitoring configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-dotnet-etw-disable/","summary":"Attackers may modify the Windows registry to disable ETW logging for the .NET Framework, hindering endpoint detection and response capabilities.","title":"Registry Modification to Disable .NET ETW Logging","url":"https://feed.craftedsignal.io/briefs/2024-01-dotnet-etw-disable/"}],"language":"en","title":"CraftedSignal Threat Feed — Etw","version":"https://jsonfeed.org/version/1.1"}