Skip to content

Instantly share code, notes, and snippets.

@Cyb3rWard0g
Last active November 23, 2023 20:05
Show Gist options
  • Save Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 to your computer and use it in GitHub Desktop.
Save Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3 to your computer and use it in GitHub Desktop.

Initial Notes:

  • The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
  • CLRConfig will look for configurations in the following places in the following order:
    • Look at environment variables (prepending COMPlus_ to the name)
    • Look at the framework registry keys (HKCU\Software\Microsoft\.NETFramework
    • Look at the framework registry keys HKLM\Software\Microsoft\.NETFramework)
  • These can be set in the following ways:
    • Setting the environment variable COMPlus_:
      • Windows set COMPlus_ETWEnabled=0
      • Powershell $env:COMPlus_ETWEnabled=0
    • Setting the registry key HKCU\Software\Microsoft\.NETFramework, Value <flagName>, type REG_SZ or REG_DWORD (depending on the flag).
    • Setting the registry key HKLM\Software\Microsoft\.NETFramework, Value <flagName>, type REG_SZ or REG_DWORD (depending on the flag).

Process vs User vs Machine (Sytem) scope Environment Variables

  • Process Temp environment variables do not generate registry entries. They affect the current and child process context only. They also override the System and User environment variables only at the current and child process level.
  • User environment variables are set in HKEY_CURRENT_USER\Environment
  • System environment variables are set in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Initial Detection Ideas

Adversary Modifying/Setting Property values on .NETFramework

How-to:

  • REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
  • New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -force

Windows Security Event Approach

Creating SACL:

git clone https://github.com/OTRF/Set-AuditRule
cd Set-AuditRule/
Import-Module .\Set-AuditRule

Set-AuditRule -RegistryPath HKLM:\Software\Microsoft\.NETFramework -IdentityReference Everyone -Rights WriteKey -InheritanceFlags None -PropagationFlags None -AuditFlags Success

Generates Event 4657

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
- <System> 
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
<EventID>4657</EventID> 
<Version>0</Version> 
<Level>0</Level> 
<Task>12801</Task> 
<Opcode>0</Opcode> 
<Keywords>0x8020000000000000</Keywords> 
<TimeCreated SystemTime="2020-06-05T14:19:46.191217300Z" /> 
<EventRecordID>4696</EventRecordID> 
<Correlation /> 
<Execution ProcessID="4" ThreadID="7596" /> 
<Channel>Security</Channel> 
<Computer>WIN001</Computer> 
<Security /> 
</System> 
- <EventData> 
<Data Name="SubjectUserSid">S-1-5-21-3546175504-2357902153-469416152-500</Data> 
<Data Name="SubjectUserName">wardog</Data> 
<Data Name="SubjectDomainName">WIN001</Data> 
<Data Name="SubjectLogonId">0x30389e</Data> 
<Data Name="ObjectName">\REGISTRY\MACHINE\SOFTWARE\Microsoft\.NETFramework</Data> 
<Data Name="ObjectValueName">ETWEnabled</Data> 
<Data Name="HandleId">0xac</Data> 
<Data Name="OperationType">%%1904</Data> 
<Data Name="OldValueType">-</Data> 
<Data Name="OldValue">-</Data> 
<Data Name="NewValueType">%%1876</Data> 
<Data Name="NewValue">0</Data> 
<Data Name="ProcessId">0x232c</Data> 
<Data Name="ProcessName">C:\Windows\System32\reg.exe</Data> 
</EventData> 
</Event>

Sysmon Approach

Sysmon Config

<Sysmon schemaversion="4.30">
   <!-- Capture all hashes -->
   <HashAlgorithms>*</HashAlgorithms>
   <EventFiltering>
	<RuleGroup name="" groupRelation="or">
	<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except -->
		<RegistryEvent onmatch="include">
			<TargetObject condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
			<TargetObject condition="end with">Environment\COMPlus_ETWEnabled</TargetObject>
		</RegistryEvent>
	</RuleGroup>
  </EventFiltering>
</Sysmon>

Generates Event ID 13 (SetValue)

Modifiying .NETFramework Registry

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
- <System> 
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> 
<EventID>13</EventID> 
<Version>2</Version> 
<Level>4</Level> 
<Task>13</Task> 
<Opcode>0</Opcode> 
<Keywords>0x8000000000000000</Keywords> 
<TimeCreated SystemTime="2020-06-05T14:49:05.832297000Z" /> 
<EventRecordID>7599132</EventRecordID> 
<Correlation /> 
<Execution ProcessID="3728" ThreadID="4120" /> 
<Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
<Computer>WIN001</Computer> 
<Security UserID="S-1-5-18" /> 
</System> 
- <EventData> 
<Data Name="RuleName">-</Data> 
<Data Name="EventType">SetValue</Data> 
<Data Name="UtcTime">2020-06-05 14:49:05.830</Data> 
<Data Name="ProcessGuid">{4658655a-5aaf-5eda-0608-000000000300}</Data> 
<Data Name="ProcessId">8612</Data> 
<Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data> 
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\.NETFramework\ETWEnabled</Data> 
<Data Name="Details">DWORD (0x00000000)</Data> 
</EventData> 
</Event>

Setting Machine Scope Environment Variables

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
  <EventID>13</EventID>
  <Version>2</Version>
  <Level>4</Level>
  <Task>13</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="2020-06-08T17:22:12.7733715Z" />
  <EventRecordID>10172</EventRecordID>
  <Correlation />
  <Execution ProcessID="3952" ThreadID="7888" />
  <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
  <Computer>DESKTOP-XYZ</Computer>
  <Security UserID="S-1-5-18" />
  </System>
- <EventData>
  <Data Name="RuleName">-</Data>
  <Data Name="EventType">SetValue</Data>
  <Data Name="UtcTime">2020-06-08 17:22:12.763</Data>
  <Data Name="ProcessGuid">{f59df1a0-73b6-5ede-0003-000000000400}</Data>
  <Data Name="ProcessId">11364</Data>
  <Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
  <Data Name="TargetObject">HKLM\System\CurrentControlSet\Control\Session Manager\Environment\COMPlus_ETWEnabled</Data>
  <Data Name="Details">1</Data>
  </EventData>
  </Event>

Creating Sigma Rules

Windows Security Auditing Rules

Registry Modification of .NETFramework

title: COMPlus_ETWEnabled Registry Modification
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
  - https://twitter.com/_xpn_/status/1268712093928378368
  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
  - https://bunnyinside.com/?term=f71e8cb9c76a
  - http://managed670.rssing.com/chan-5590147/all_p1.html
  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
tags:
    - attack.defense_evasion
    - attack.t1112
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4657
        ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework' 
        ObjectValueName: 'ETWEnabled'
        NewValue: '0'
    condition: selection
falsepositives:
    - unknown
level: critical

Basic Process CommandLine Arguments

title: COMPlus_ETWEnabled Command Line Arguments
id: 41421f44-58f9-455d-838a-c398859841d4
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
  - https://twitter.com/_xpn_/status/1268712093928378368
  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
  - https://bunnyinside.com/?term=f71e8cb9c76a
  - http://managed670.rssing.com/chan-5590147/all_p1.html
  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
tags:
    - attack.defense_evasion
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        CommandLine|contains: 'COMPlus_ETWEnabled=0'
    condition: selection
falsepositives:
    - unknown
level: critical

Sysmon Rules

Registry Modification of .NETFramework

title: COMPlus_ETWEnabled Registry Modification
id: 41421f44-58f9-455d-838a-c398859841d4
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
  - https://twitter.com/_xpn_/status/1268712093928378368
  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
  - https://bunnyinside.com/?term=f71e8cb9c76a
  - http://managed670.rssing.com/chan-5590147/all_p1.html
  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
  - https://twitter.com/Cyb3rWard0g/status/1270034301757857806
  - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_environment_variables?view=powershell-7#changing-environment-variables
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
tags:
    - attack.defense_evasion
    - attack.t1112
logsource:
    product: windows
    service: sysmon
detection:
    selection1:
        EventID: 13
    selection2:
        TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
        Details: 'DWORD (0x00000000)'
    selection3:
        TargetObject|endswith: 'Environment\COMPlus_ETWEnabled'
        Details: '0'
    condition: selection1 and (selection2 or selection3)
falsepositives:
    - unknown
level: critical

Basic Process CommandLine Arguments

title: COMPlus_ETWEnabled Command Line Arguments
id: 41421f44-58f9-455d-838a-c398859841d4
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
  - https://twitter.com/_xpn_/status/1268712093928378368
  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
  - https://bunnyinside.com/?term=f71e8cb9c76a
  - http://managed670.rssing.com/chan-5590147/all_p1.html
  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
tags:
    - attack.defense_evasion
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        CommandLine|contains: 'COMPlus_ETWEnabled=0'
    condition: selection
falsepositives:
    - unknown
level: critical

YARA Rules

rule SUSP_Disable_ETW_Jun20_1 {
   meta:
      description = "Detects method to disable ETW in ENV vars before exeucting a program"
      author = "Florian Roth"
      reference = "https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3"
      date = "2020-06-06"
   strings:
      $x1 = "set COMPlus_ETWEnabled=0" ascii wide fullword
      $x2 = "$env:COMPlus_ETWEnabled=0" ascii wide fullword

      $s1 = "Software\\Microsoft.NETFramework" ascii wide
      $sa1 = "/v ETWEnabled" ascii wide fullword 
      $sa2 = " /d 0" ascii wide
      $sb4 = "-Name ETWEnabled"
      $sb5 = " -Value 0 "
   condition:
      1 of ($x*) or 3 of them 
}

References

@jangeisbauer
Copy link

great article Roberto! In the 'initial detection' section, there is missing a backslash after Microsoft: Microsoft.NETFramework

@Cyb3rWard0g
Copy link
Author

Thank you Jan! The \. was hiding in markdown 😆

@Cyb3rSn0rlax
Copy link

Thank you for saving us again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment