BamboozlEDR: How to Blind EDRs with Fake ETW Events

Listen to this Post

Featured Image

Introduction

Event Tracing for Windows (ETW) is a powerful logging mechanism used by Endpoint Detection and Response (EDR) solutions to monitor system activity. Security researcher Olaf Hartong’s BamboozlEDR tool allows researchers and red teams to inject fake ETW events, generating false alerts and potentially bypassing EDR detection. This article explores how BamboozlEDR works, key commands, and its implications for cybersecurity.

Learning Objectives

  • Understand how ETW is used by EDRs for threat detection.
  • Learn how BamboozlEDR manipulates ETW events to evade detection.
  • Explore defensive strategies to detect and mitigate fake ETW injections.

You Should Know

1. How ETW Works in Windows Security

ETW (Event Tracing for Windows) is a kernel-level logging framework that captures system events, including process creation, network activity, and file operations. EDR solutions rely on ETW for real-time monitoring.

Command to List ETW Providers:

logman query providers

Step-by-Step Guide:

1. Open PowerShell as Administrator.

  1. Run the command to list all registered ETW providers.
  2. Review output to identify security-related providers (e.g., Microsoft-Windows-Threat-Intelligence).

2. Injecting Fake Events with BamboozlEDR

BamboozlEDR allows attackers to inject fabricated events into ETW, confusing EDRs with false positives.

GitHub Repository:

🔗 BamboozlEDR on GitHub

Example Command:

.\BamboozlEDR.exe -Provider "Microsoft-Windows-Sysmon" -EventID 1 -FakeCommand "C:\malware.exe"

Step-by-Step Guide:

1. Clone the BamboozlEDR repository.

2. Compile the tool (requires Visual Studio).

  1. Execute with a target provider (e.g., Sysmon) and a spoofed command line.

3. Detecting Fake ETW Events

Defenders can analyze ETW logs for inconsistencies.

PowerShell Command to Monitor ETW:

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Message -like "malware.exe" }

Step-by-Step Guide:

1. Open PowerShell with admin rights.

2. Query Sysmon logs for suspicious entries.

3. Investigate unexpected process creations.

4. Hardening EDR Against ETW Tampering

Disabling unnecessary ETW providers can reduce attack surface.

Command to Disable an ETW Provider:

logman stop "Microsoft-Windows-Threat-Intelligence" -ets

Step-by-Step Guide:

1. Identify high-risk ETW providers.

2. Use `logman stop` to disable non-critical providers.

3. Monitor for stability impact.

5. Future of ETW Exploitation & Defense

As attackers refine ETW manipulation, EDR vendors must implement event validation.

Prediction:

  • Short-term: More red teams will adopt BamboozlEDR for EDR evasion.
  • Long-term: Microsoft may introduce cryptographic ETW event signing to prevent spoofing.

What Undercode Say

  • Key Takeaway 1: BamboozlEDR exposes a critical weakness in EDR reliance on unvalidated ETW events.
  • Key Takeaway 2: Defenders must augment EDR with behavioral analysis to detect anomalies.

Analysis:

While BamboozlEDR is a research tool, its techniques could be weaponized by adversaries. Organizations should audit ETW logs, implement strict allowlisting, and deploy additional telemetry sources beyond ETW. The cat-and-mouse game between attackers and defenders continues, with ETW manipulation now a key battleground.

By understanding and mitigating ETW-based attacks, security teams can stay ahead of evolving threats. For more details, check Olaf Hartong’s Black Hat USA slides.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Olafhartong Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky