{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1127/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[".NETFramework","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["etw","registry","defense-evasion","windows","t1127","t1685"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThe detection identifies registry modifications that disable Event Tracing for Windows (ETW) for the .NET Framework. By modifying the \u003ccode\u003eETWEnabled\u003c/code\u003e registry value under the \u003ccode\u003e.NETFramework\u003c/code\u003e path, attackers can disable ETW, a crucial logging mechanism. This allows them to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. Disabling ETW can allow attackers to operate undetected, potentially leading to further compromise and persistent access within the environment. This technique is a form of defense evasion and can be used in conjunction with other malicious activities to maintain a stealthy presence on the system. The referenced Splunk detection \u003ccode\u003eetw_registry_disabled.yml\u003c/code\u003e version 17 provides the basis for identifying this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the system, possibly through phishing, exploitation of a vulnerability, or compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Needed):\u003c/strong\u003e The attacker escalates privileges to gain the necessary permissions to modify registry keys, if they do not already have them.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify ETW Configuration:\u003c/strong\u003e The attacker identifies the specific registry path for ETW configuration related to the .NET Framework: \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\.NETFramework\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModify Registry Value:\u003c/strong\u003e The attacker modifies the \u003ccode\u003eETWEnabled\u003c/code\u003e registry value under the identified path to \u003ccode\u003e0x00000000\u003c/code\u003e, effectively disabling ETW. This may involve using tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecute Malicious Actions:\u003c/strong\u003e With ETW disabled, the attacker executes malicious actions, such as deploying malware, performing lateral movement, or exfiltrating data. These actions are less likely to be logged or detected by security tools due to the disabled ETW.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMaintain Persistence:\u003c/strong\u003e The attacker establishes persistence mechanisms to maintain access to the system, ensuring that their access is not disrupted by system restarts or other events.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised system as a pivot point to move laterally to other systems within the network, potentially compromising additional resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker exfiltrates sensitive data from the compromised systems or performs other destructive actions, such as deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling ETW can significantly hinder the ability of security teams to detect and respond to malicious activity. If successful, attackers can operate undetected within the environment, potentially leading to data breaches, financial losses, and reputational damage. Successful exploitation could lead to widespread data exfiltration, system compromise, and deployment of ransomware, impacting all affected systems and potentially leading to significant business disruption. The CISA AA23-347A analytic story highlights the potential for data destruction and wiper malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 to monitor registry modifications, especially those targeting ETW-related registry keys.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ETW Registry Disabled\u003c/code\u003e to your SIEM and tune for your environment to detect potential ETW disabling attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eDetect ETW Registry Disabled\u003c/code\u003e rule to determine the legitimacy of the registry modifications.\u003c/li\u003e\n\u003cli\u003eReview and harden registry permissions to restrict unauthorized modifications, particularly to sensitive registry keys like those related to ETW configuration, to prevent unauthorized ETW disabling.\u003c/li\u003e\n\u003cli\u003eEnsure that the official Sysmon TA is at least version 2.0, as mentioned in the \u0026ldquo;How to Implement\u0026rdquo; section, to ensure proper log ingestion and parsing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"/briefs/2024-01-etw-registry-disabled/","summary":"Attackers may disable Event Tracing for Windows (ETW) for the .NET Framework by modifying the ETWEnabled registry value, allowing them to evade endpoint detection and response (EDR) tools and hide malicious activity.","title":"ETW Registry Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-etw-registry-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — T1127","version":"https://jsonfeed.org/version/1.1"}