Adversaries may disable ETW logging in .NET processes to suppress forensic data and evade detection by preventing the recording of loaded assemblies. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or exfiltration activities that could compromise system integrity.
Detection Rule
title: ETW Logging Disabled In .NET Processes - Registry
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
related:
- id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2022-12-20
tags:
- attack.persistence
- attack.defense-evasion
- attack.t1112
- attack.t1562
logsource:
product: windows
service: security
detection:
selection_etw_enabled:
EventID: 4657
ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
ObjectValueName: 'ETWEnabled'
NewValue: 0
selection_complus:
EventID: 4657
ObjectName|contains: '\Environment'
ObjectValueName:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
NewValue: 0
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
imRegistry
| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\.NETFramework" and RegistryValue =~ "ETWEnabled" and RegistryValueData == 0) or (RegistryKey contains "\\Environment" and (RegistryValue in~ ("COMPlus_ETWEnabled", "COMPlus_ETWFlags")) and RegistryValueData == 0)Scenario: .NET Framework Installation or Update
Description: During a .NET Framework installation or update, the system may temporarily disable ETW logging as part of the installation process.
Filter/Exclusion: Check for registry changes related to Microsoft.NETFramework or Microsoft.NETCore in the HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP path, or filter by process names like dotnet.exe, setup.exe, or msiexec.exe.
Scenario: Scheduled Job for .NET Application Maintenance
Description: A legitimate scheduled job (e.g., Task Scheduler task) may run a .NET-based maintenance script that temporarily disables ETW logging to prevent log flooding.
Filter/Exclusion: Filter events where the process is associated with a known maintenance task (e.g., Task Scheduler or schtasks.exe), or check for registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion\TaskScheduler that reference the task.
Scenario: .NET Application Configuration Reset
Description: An admin may reset .NET application settings using tools like aspnet_regiis.exe or dotnet.exe, which could temporarily affect ETW logging.
Filter/Exclusion: Filter events where the process is aspnet_regiis.exe, dotnet.exe, or ngen.exe, and check for registry changes under HKLM\Software\Microsoft\NET Framework or HKLM\Software\Microsoft\DotNet.
Scenario: System Update or Patching
Description: During a Windows update or patching process, ETW logging may be disabled as part of the system configuration changes.
Filter/Exclusion: Filter events where the process is wusa.exe, setup.exe, or dism.exe, and check for registry changes