Etw — CraftedSignal Threat Feed

ETW Registry Disabled via Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 14:22:00 +0000

The detection identifies registry modifications that disable Event Tracing for Windows (ETW) for the .NET Framework. By modifying the ETWEnabled registry value under the .NETFramework path, attackers can disable ETW, a crucial logging mechanism. This allows them to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. Disabling ETW can allow attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. This technique is a form of defense evasion and can be used in conjunction with other malicious activities to maintain a stealthy presence on the system. The referenced Splunk detection etw_registry_disabled.yml version 17 provides the basis for identifying this behavior.

Attack Chain

Initial Access: An attacker gains initial access to the system, possibly through phishing, exploitation of a vulnerability, or compromised credentials.
Privilege Escalation (If Needed): The attacker escalates privileges to gain the necessary permissions to modify registry keys, if they do not already have them.
Identify ETW Configuration: The attacker identifies the specific registry path for ETW configuration related to the .NET Framework: HKLM\SOFTWARE\Microsoft\.NETFramework.
Modify Registry Value: The attacker modifies the ETWEnabled registry value under the identified path to 0x00000000, effectively disabling ETW. This may involve using tools like reg.exe or PowerShell to modify the registry.
Execute Malicious Actions: With ETW disabled, the attacker executes malicious actions, such as deploying malware, performing lateral movement, or exfiltrating data. These actions are less likely to be logged or detected by security tools due to the disabled ETW.
Maintain Persistence: The attacker establishes persistence mechanisms to maintain access to the system, ensuring that their access is not disrupted by system restarts or other events.
Lateral Movement: The attacker uses the compromised system as a pivot point to move laterally to other systems within the network, potentially compromising additional resources.
Data Exfiltration/Impact: The attacker exfiltrates sensitive data from the compromised systems or performs other destructive actions, such as deploying ransomware.

Impact

Disabling ETW can significantly hinder the ability of security teams to detect and respond to malicious activity. If successful, attackers can operate undetected within the environment, potentially leading to data breaches, financial losses, and reputational damage. Successful exploitation could lead to widespread data exfiltration, system compromise, and deployment of ransomware, impacting all affected systems and potentially leading to significant business disruption. The CISA AA23-347A analytic story highlights the potential for data destruction and wiper malware.

Recommendation

Enable Sysmon Event ID 13 to monitor registry modifications, especially those targeting ETW-related registry keys.
Deploy the Sigma rule Detect ETW Registry Disabled to your SIEM and tune for your environment to detect potential ETW disabling attempts.
Investigate any alerts generated by the Detect ETW Registry Disabled rule to determine the legitimacy of the registry modifications.
Review and harden registry permissions to restrict unauthorized modifications, particularly to sensitive registry keys like those related to ETW configuration, to prevent unauthorized ETW disabling.
Ensure that the official Sysmon TA is at least version 2.0, as mentioned in the “How to Implement” section, to ensure proper log ingestion and parsing.

Detection of ETW Disabling via Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers may attempt to disable Event Tracing for Windows (ETW) to evade detection mechanisms and make it more difficult for security tools to monitor malicious activities. This is often achieved by modifying specific registry keys associated with .NET Framework ETW settings. By setting the ETWEnabled value to 0x00000000, adversaries can effectively turn off ETW, allowing them to execute payloads with minimal alerting. This technique is often observed in ransomware and other advanced attacks where stealth and persistence are crucial for success. This activity is significant because disabling ETW impairs defenses and potentially leads to further compromise of the system.

Attack Chain

Initial access is achieved through various means such as phishing, exploitation of vulnerabilities, or compromised credentials.
The attacker gains administrative privileges on the targeted system.
The attacker uses a command-line interface (e.g., cmd.exe, powershell.exe) or a scripting language to interact with the Windows Registry.
The attacker modifies the registry key HKLM\SOFTWARE\Microsoft\.NETFramework\ETWEnabled (or a similar key) setting its value to 0x00000000.
This modification disables ETW, preventing the system from logging certain events and activities.
The attacker executes malicious code or payloads without being easily detected.
The attacker moves laterally within the network, compromising additional systems.
The final objective is achieved, such as data exfiltration, ransomware deployment, or system disruption.

Impact

Successful disabling of ETW allows attackers to operate with a significantly reduced risk of detection. This can lead to prolonged periods of undetected malicious activity, resulting in significant data breaches, financial losses, and reputational damage. Ransomware actors, in particular, benefit from this technique as it allows them to encrypt systems without triggering security alerts, maximizing their chances of a successful extortion attempt.

Recommendation

Enable Sysmon Event ID 13 to monitor registry modifications and detect changes to the *\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled registry path (data_source).
Deploy the Sigma rule “Detect ETW Disabling Through Registry Modification” to your SIEM to identify potential ETW disabling attempts (rules).
Investigate any alerts generated by the Sigma rule, focusing on processes modifying the specified registry keys (rules).
Implement strict access control policies to limit who can modify registry settings (description).

Registry Modification to Disable .NET ETW Logging

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

Attackers may attempt to disable Event Tracing for Windows (ETW) for the .NET Framework to evade detection by security tools. This involves modifying the COMPlus_ETWEnabled registry value to disable .NET ETW logging, preventing security products from monitoring .NET-based threats. The registry value is located under the “Environment” registry key path for both user (HKCU\Environment) and machine (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment) scopes. Disabling ETW allows attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. This technique has been observed across various threat actors aiming to evade EDR solutions, making it a critical concern for defenders.

Attack Chain

The attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.
The attacker escalates privileges to obtain administrative rights.
The attacker identifies the registry key HKCU\Environment or HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment.
The attacker modifies the COMPlus_ETWEnabled registry value to 0 or 0x00000000. This can be achieved through tools like reg.exe or PowerShell.
The system processes the registry change, effectively disabling .NET ETW logging.
The attacker executes malicious .NET code without generating ETW logs.
The attacker performs lateral movement and other malicious activities, evading detection.
The attacker achieves their final objective, such as data exfiltration or ransomware deployment.

Impact

Successful disabling of .NET ETW logging can severely limit the visibility of security tools into malicious activities, allowing attackers to operate undetected. This can lead to prolonged compromises, data breaches, and ransomware infections. The impact is widespread as it affects any organization relying on .NET ETW for security monitoring. Disabling ETW could bypass many endpoint detection and response (EDR) solutions that rely on this logging, potentially impacting thousands of organizations.

Recommendation

Enable Sysmon EventID 13 to monitor registry modifications, as this is the primary data source for detecting the described activity.
Deploy the Sigma rule Detect Dotnet ETW Disabled Via Registry to your SIEM and tune for your environment.
Investigate any changes to the COMPlus_ETWEnabled registry value, especially if initiated by unusual processes.
Monitor for command-line arguments used to modify registry keys via reg.exe or PowerShell, using the Sigma rule Detect Registry Modification via Command Line.
Ensure that your Sysmon configuration is up to date and includes the necessary registry monitoring configurations.