- The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
- CLRConfig will look for configurations in the following places in the following order:
- Look at environment variables (prepending COMPlus_ to the name)
- Look at the framework registry keys (
HKCU\Software\Microsoft\.NETFramework - Look at the framework registry keys
HKLM\Software\Microsoft\.NETFramework)
- These can be set in the following ways:
- Setting the environment variable COMPlus_:
- Windows
set COMPlus_ETWEnabled=0 - Powershell
$env:COMPlus_ETWEnabled=0
- Windows
- Setting the registry key
HKCU\Software\Microsoft\.NETFramework, Value<flagName>, type REG_SZ or REG_DWORD (depending on the flag). - Setting the registry key
HKLM\Software\Microsoft\.NETFramework, Value<flagName>, type REG_SZ or REG_DWORD (depending on the flag).
- Setting the environment variable COMPlus_:
- Process Temp environment variables do not generate registry entries. They affect the current and child process context only. They also override the System and User environment variables only at the current and child process level.
- User environment variables are set in
HKEY_CURRENT_USER\Environment - System environment variables are set in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
How-to:
REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -force
git clone https://github.com/OTRF/Set-AuditRule
cd Set-AuditRule/
Import-Module .\Set-AuditRule
Set-AuditRule -RegistryPath HKLM:\Software\Microsoft\.NETFramework -IdentityReference Everyone -Rights WriteKey -InheritanceFlags None -PropagationFlags None -AuditFlags Success
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4657</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12801</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-06-05T14:19:46.191217300Z" />
<EventRecordID>4696</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="7596" />
<Channel>Security</Channel>
<Computer>WIN001</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3546175504-2357902153-469416152-500</Data>
<Data Name="SubjectUserName">wardog</Data>
<Data Name="SubjectDomainName">WIN001</Data>
<Data Name="SubjectLogonId">0x30389e</Data>
<Data Name="ObjectName">\REGISTRY\MACHINE\SOFTWARE\Microsoft\.NETFramework</Data>
<Data Name="ObjectValueName">ETWEnabled</Data>
<Data Name="HandleId">0xac</Data>
<Data Name="OperationType">%%1904</Data>
<Data Name="OldValueType">-</Data>
<Data Name="OldValue">-</Data>
<Data Name="NewValueType">%%1876</Data>
<Data Name="NewValue">0</Data>
<Data Name="ProcessId">0x232c</Data>
<Data Name="ProcessName">C:\Windows\System32\reg.exe</Data>
</EventData>
</Event>
<Sysmon schemaversion="4.30">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except -->
<RegistryEvent onmatch="include">
<TargetObject condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
<TargetObject condition="end with">Environment\COMPlus_ETWEnabled</TargetObject>
</RegistryEvent>
</RuleGroup>
</EventFiltering>
</Sysmon>
Modifiying .NETFramework Registry
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
<EventID>13</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-06-05T14:49:05.832297000Z" />
<EventRecordID>7599132</EventRecordID>
<Correlation />
<Execution ProcessID="3728" ThreadID="4120" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>WIN001</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName">-</Data>
<Data Name="EventType">SetValue</Data>
<Data Name="UtcTime">2020-06-05 14:49:05.830</Data>
<Data Name="ProcessGuid">{4658655a-5aaf-5eda-0608-000000000300}</Data>
<Data Name="ProcessId">8612</Data>
<Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\.NETFramework\ETWEnabled</Data>
<Data Name="Details">DWORD (0x00000000)</Data>
</EventData>
</Event>
Setting Machine Scope Environment Variables
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
<EventID>13</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-06-08T17:22:12.7733715Z" />
<EventRecordID>10172</EventRecordID>
<Correlation />
<Execution ProcessID="3952" ThreadID="7888" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-XYZ</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName">-</Data>
<Data Name="EventType">SetValue</Data>
<Data Name="UtcTime">2020-06-08 17:22:12.763</Data>
<Data Name="ProcessGuid">{f59df1a0-73b6-5ede-0003-000000000400}</Data>
<Data Name="ProcessId">11364</Data>
<Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="TargetObject">HKLM\System\CurrentControlSet\Control\Session Manager\Environment\COMPlus_ETWEnabled</Data>
<Data Name="Details">1</Data>
</EventData>
</Event>
Registry Modification of .NETFramework
title: COMPlus_ETWEnabled Registry Modification
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
tags:
- attack.defense_evasion
- attack.t1112
logsource:
product: windows
service: security
detection:
selection:
EventID: 4657
ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
ObjectValueName: 'ETWEnabled'
NewValue: '0'
condition: selection
falsepositives:
- unknown
level: criticalBasic Process CommandLine Arguments
title: COMPlus_ETWEnabled Command Line Arguments
id: 41421f44-58f9-455d-838a-c398859841d4
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
tags:
- attack.defense_evasion
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
CommandLine|contains: 'COMPlus_ETWEnabled=0'
condition: selection
falsepositives:
- unknown
level: criticalRegistry Modification of .NETFramework
title: COMPlus_ETWEnabled Registry Modification
id: 41421f44-58f9-455d-838a-c398859841d4
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://twitter.com/Cyb3rWard0g/status/1270034301757857806
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_environment_variables?view=powershell-7#changing-environment-variables
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
tags:
- attack.defense_evasion
- attack.t1112
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 13
selection2:
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
Details: 'DWORD (0x00000000)'
selection3:
TargetObject|endswith: 'Environment\COMPlus_ETWEnabled'
Details: '0'
condition: selection1 and (selection2 or selection3)
falsepositives:
- unknown
level: criticalBasic Process CommandLine Arguments
title: COMPlus_ETWEnabled Command Line Arguments
id: 41421f44-58f9-455d-838a-c398859841d4
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
tags:
- attack.defense_evasion
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine|contains: 'COMPlus_ETWEnabled=0'
condition: selection
falsepositives:
- unknown
level: critical- Author: Florian Roth
- Reference: https://github.com/Neo23x0/signature-base/blob/master/yara/gen_suspicious_strings.yar#L363-L380
rule SUSP_Disable_ETW_Jun20_1 {
meta:
description = "Detects method to disable ETW in ENV vars before exeucting a program"
author = "Florian Roth"
reference = "https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3"
date = "2020-06-06"
strings:
$x1 = "set COMPlus_ETWEnabled=0" ascii wide fullword
$x2 = "$env:COMPlus_ETWEnabled=0" ascii wide fullword
$s1 = "Software\\Microsoft.NETFramework" ascii wide
$sa1 = "/v ETWEnabled" ascii wide fullword
$sa2 = " /d 0" ascii wide
$sb4 = "-Name ETWEnabled"
$sb5 = " -Value 0 "
condition:
1 of ($x*) or 3 of them
}
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://github.com/OTRF/Set-AuditRule
- https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-3.1
- https://twitter.com/Cyb3rWard0g/status/1270034301757857806
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_environment_variables?view=powershell-7#changing-environment-variables
Thank you Jan! The
\.was hiding in markdown 😆