COMPlus_ETWEnabled_detection_notes.md

Initial Notes:

• The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
• CLRConfig will look for configurations in the following places in the following order:
  • Look at environment variables (prepending COMPlus_ to the name)
  • Look at the framework registry keys (HKCU\Software\Microsoft\.NETFramework
  • Look at the framework registry keys HKLM\Software\Microsoft\.NETFramework)
• These can be set in the following ways:
  • Setting the environment variable COMPlus_:
    • Windows set COMPlus_ETWEnabled=0
    • Powershell $env:COMPlus_ETWEnabled=0
  • Setting the registry key HKCU\Software\Microsoft\.NETFramework, Value <flagName>, type REG_SZ or REG_DWORD (depending on the flag).
  • Setting the registry key HKLM\Software\Microsoft\.NETFramework, Value <flagName>, type REG_SZ or REG_DWORD (depending on the flag).

Process vs User vs Machine (Sytem) scope Environment Variables

• Process Temp environment variables do not generate registry entries. They affect the current and child process context only. They also override the System and User environment variables only at the current and child process level.
• User environment variables are set in HKEY_CURRENT_USER\Environment
• System environment variables are set in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Initial Detection Ideas

Adversary Modifying/Setting Property values on .NETFramework

How-to:

• REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
• New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -force

Windows Security Event Approach

Creating SACL:

git clone https://github.com/OTRF/Set-AuditRule
cd Set-AuditRule/
Import-Module .\Set-AuditRule

Set-AuditRule -RegistryPath HKLM:\Software\Microsoft\.NETFramework -IdentityReference Everyone -Rights WriteKey -InheritanceFlags None -PropagationFlags None -AuditFlags Success

Generates Event 4657

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
- <System> 
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
<EventID>4657</EventID> 
<Version>0</Version> 
<Level>0</Level> 
<Task>12801</Task> 
<Opcode>0</Opcode> 
<Keywords>0x8020000000000000</Keywords> 
<TimeCreated SystemTime="2020-06-05T14:19:46.191217300Z" /> 
<EventRecordID>4696</EventRecordID> 
<Correlation /> 
<Execution ProcessID="4" ThreadID="7596" /> 
<Channel>Security</Channel> 
<Computer>WIN001</Computer> 
<Security /> 
</System> 
- <EventData> 
<Data Name="SubjectUserSid">S-1-5-21-3546175504-2357902153-469416152-500</Data> 
<Data Name="SubjectUserName">wardog</Data> 
<Data Name="SubjectDomainName">WIN001</Data> 
<Data Name="SubjectLogonId">0x30389e</Data> 
<Data Name="ObjectName">\REGISTRY\MACHINE\SOFTWARE\Microsoft\.NETFramework</Data> 
<Data Name="ObjectValueName">ETWEnabled</Data> 
<Data Name="HandleId">0xac</Data> 
<Data Name="OperationType">%%1904</Data> 
<Data Name="OldValueType">-</Data> 
<Data Name="OldValue">-</Data> 
<Data Name="NewValueType">%%1876</Data> 
<Data Name="NewValue">0</Data> 
<Data Name="ProcessId">0x232c</Data> 
<Data Name="ProcessName">C:\Windows\System32\reg.exe</Data> 
</EventData> 
</Event>

Sysmon Approach

Sysmon Config

<Sysmon schemaversion="4.30">
   <!-- Capture all hashes -->
   <HashAlgorithms>*</HashAlgorithms>
   <EventFiltering>
	<RuleGroup name="" groupRelation="or">
	<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. Log everything except -->
		<RegistryEvent onmatch="include">
			<TargetObject condition="end with">SOFTWARE\Microsoft\.NETFramework\ETWEnabled</TargetObject>
			<TargetObject condition="end with">Environment\COMPlus_ETWEnabled</TargetObject>
		</RegistryEvent>
	</RuleGroup>
  </EventFiltering>
</Sysmon>

Generates Event ID 13 (SetValue)

Modifiying .NETFramework Registry

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
- <System> 
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> 
<EventID>13</EventID> 
<Version>2</Version> 
<Level>4</Level> 
<Task>13</Task> 
<Opcode>0</Opcode> 
<Keywords>0x8000000000000000</Keywords> 
<TimeCreated SystemTime="2020-06-05T14:49:05.832297000Z" /> 
<EventRecordID>7599132</EventRecordID> 
<Correlation /> 
<Execution ProcessID="3728" ThreadID="4120" /> 
<Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
<Computer>WIN001</Computer> 
<Security UserID="S-1-5-18" /> 
</System> 
- <EventData> 
<Data Name="RuleName">-</Data> 
<Data Name="EventType">SetValue</Data> 
<Data Name="UtcTime">2020-06-05 14:49:05.830</Data> 
<Data Name="ProcessGuid">{4658655a-5aaf-5eda-0608-000000000300}</Data> 
<Data Name="ProcessId">8612</Data> 
<Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data> 
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\.NETFramework\ETWEnabled</Data> 
<Data Name="Details">DWORD (0x00000000)</Data> 
</EventData> 
</Event>

Setting Machine Scope Environment Variables

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
  <EventID>13</EventID>
  <Version>2</Version>
  <Level>4</Level>
  <Task>13</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="2020-06-08T17:22:12.7733715Z" />
  <EventRecordID>10172</EventRecordID>
  <Correlation />
  <Execution ProcessID="3952" ThreadID="7888" />
  <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
  <Computer>DESKTOP-XYZ</Computer>
  <Security UserID="S-1-5-18" />
  </System>
- <EventData>
  <Data Name="RuleName">-</Data>
  <Data Name="EventType">SetValue</Data>
  <Data Name="UtcTime">2020-06-08 17:22:12.763</Data>
  <Data Name="ProcessGuid">{f59df1a0-73b6-5ede-0003-000000000400}</Data>
  <Data Name="ProcessId">11364</Data>
  <Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
  <Data Name="TargetObject">HKLM\System\CurrentControlSet\Control\Session Manager\Environment\COMPlus_ETWEnabled</Data>
  <Data Name="Details">1</Data>
  </EventData>
  </Event>

Creating Sigma Rules

Windows Security Auditing Rules

Registry Modification of .NETFramework

title: COMPlus_ETWEnabled Registry Modification
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
  - https://twitter.com/_xpn_/status/1268712093928378368
  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
  - https://bunnyinside.com/?term=f71e8cb9c76a
  - http://managed670.rssing.com/chan-5590147/all_p1.html
  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
tags:
    - attack.defense_evasion
    - attack.t1112
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4657
        ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework' 
        ObjectValueName: 'ETWEnabled'
        NewValue: '0'
    condition: selection
falsepositives:
    - unknown
level: critical

Basic Process CommandLine Arguments

title: COMPlus_ETWEnabled Command Line Arguments
id: 41421f44-58f9-455d-838a-c398859841d4
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
  - https://twitter.com/_xpn_/status/1268712093928378368
  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
  - https://bunnyinside.com/?term=f71e8cb9c76a
  - http://managed670.rssing.com/chan-5590147/all_p1.html
  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
tags:
    - attack.defense_evasion
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        CommandLine|contains: 'COMPlus_ETWEnabled=0'
    condition: selection
falsepositives:
    - unknown
level: critical

Sysmon Rules

Registry Modification of .NETFramework

title: COMPlus_ETWEnabled Registry Modification
id: 41421f44-58f9-455d-838a-c398859841d4
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
  - https://twitter.com/_xpn_/status/1268712093928378368
  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
  - https://bunnyinside.com/?term=f71e8cb9c76a
  - http://managed670.rssing.com/chan-5590147/all_p1.html
  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
  - https://twitter.com/Cyb3rWard0g/status/1270034301757857806
  - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_environment_variables?view=powershell-7#changing-environment-variables
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
tags:
    - attack.defense_evasion
    - attack.t1112
logsource:
    product: windows
    service: sysmon
detection:
    selection1:
        EventID: 13
    selection2:
        TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
        Details: 'DWORD (0x00000000)'
    selection3:
        TargetObject|endswith: 'Environment\COMPlus_ETWEnabled'
        Details: '0'
    condition: selection1 and (selection2 or selection3)
falsepositives:
    - unknown
level: critical

Basic Process CommandLine Arguments

title: COMPlus_ETWEnabled Command Line Arguments
id: 41421f44-58f9-455d-838a-c398859841d4
status: experimental
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
  - https://twitter.com/_xpn_/status/1268712093928378368
  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
  - https://bunnyinside.com/?term=f71e8cb9c76a
  - http://managed670.rssing.com/chan-5590147/all_p1.html
  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
tags:
    - attack.defense_evasion
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        CommandLine|contains: 'COMPlus_ETWEnabled=0'
    condition: selection
falsepositives:
    - unknown
level: critical

YARA Rules

• Author: Florian Roth
• Reference: https://github.com/Neo23x0/signature-base/blob/master/yara/gen_suspicious_strings.yar#L363-L380

rule SUSP_Disable_ETW_Jun20_1 {
   meta:
      description = "Detects method to disable ETW in ENV vars before exeucting a program"
      author = "Florian Roth"
      reference = "https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3"
      date = "2020-06-06"
   strings:
      $x1 = "set COMPlus_ETWEnabled=0" ascii wide fullword
      $x2 = "$env:COMPlus_ETWEnabled=0" ascii wide fullword

      $s1 = "Software\\Microsoft.NETFramework" ascii wide
      $sa1 = "/v ETWEnabled" ascii wide fullword 
      $sa2 = " /d 0" ascii wide
      $sb4 = "-Name ETWEnabled"
      $sb5 = " -Value 0 "
   condition:
      1 of ($x*) or 3 of them 
}

References

• https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
• https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
• https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
• https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
• https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
• https://bunnyinside.com/?term=f71e8cb9c76a
• http://managed670.rssing.com/chan-5590147/all_p1.html
• https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
• https://github.com/OTRF/Set-AuditRule
• https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-3.1
• https://twitter.com/Cyb3rWard0g/status/1270034301757857806
• https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_environment_variables?view=powershell-7#changing-environment-variables

great article Roberto! In the 'initial detection' section, there is missing a backslash after Microsoft: Microsoft.NETFramework

Thank you Jan! The \. was hiding in markdown 😆

Thank you for saving us again