Listen to this Post
Introduction
Event Tracing for Windows (ETW) is a powerful logging mechanism used for performance monitoring and threat detection. Attackers and defenders alike can leverage ETW telemetry—sometimes remotely—using techniques like the Performance Logs and Alerts (PLA) DCOM library. This article explores how red teams and blue teams can use these methods for evasion, detection, and remote EDR analysis.
Learning Objectives
- Understand how PLA and DCOM can be used to access ETW telemetry remotely.
- Learn how to detect hidden processes (e.g., SysMon) via TraceDataProvider.
- Apply evasion techniques discussed in advanced red team operations (RTO) courses.
You Should Know
1. Remote ETW Telemetry via PLA DCOM
Command:
$logman = New-Object -ComObject "PLA.DataCollector"
$logman.Query("Microsoft-Windows-Sysmon/Operational", "Event/System[EventID=1]")
Step-by-Step Guide:
1. Instantiate the PLA DataCollector COM object.
- Query ETW providers (e.g., SysMon) for specific events (e.g., Process Creation, EventID 1).
- Parse returned XML to extract telemetry without local agent installation.
2. Detecting Hidden SysMon via TraceDataProvider
Command (C++):
ITraceDataProvider pProvider; CoCreateInstance(CLSID_TraceDataProvider, NULL, CLSCTX_ALL, IID_ITraceDataProvider, (void)&pProvider); pProvider->Query(L"Microsoft-Windows-Sysmon", &pProvider);
Step-by-Step Guide:
1. Use COM to interface with `TraceDataProvider`.
2. Query for SysMon’s provider GUID.
- If found, SysMon is active—useful for evasion checks.
3. Disabling ETW Providers for Evasion
Command (PowerShell):
logman stop "Microsoft-Windows-Sysmon" -ets
Step-by-Step Guide:
- Identify running ETW sessions with
logman query -ets. - Terminate security-related sessions (e.g., SysMon) to blind EDR.
4. Enumerating Remote DCOM Objects for ETW Access
Command (Impacket):
python dcomexec.py -object PLA.DataCollector DOMAIN/user:password@target
Step-by-Step Guide:
- Use Impacket’s DCOM execution to remotely interact with PLA.
- Execute ETW queries as shown in Section 1.
5. Mitigation: Restricting DCOM Permissions
Command (Windows GPO):
Computer Configuration > Administrative Templates > DCOM > Machine Launch Restrictions
Step-by-Step Guide:
1. Restrict DCOM access to authorized users only.
2. Audit `DCOM` and `ETW` provider modifications.
What Undercode Say
- Key Takeaway 1: PLA DCOM provides a stealthy way to query ETW without deploying agents, making it a double-edged sword for attackers and defenders.
- Key Takeaway 2: TraceDataProvider interfaces expose hidden security tools, enabling evasion but also aiding detection.
Analysis:
The intersection of DCOM, ETW, and PLA highlights the cat-and-mouse game in cybersecurity. While red teams abuse these features for evasion, blue teams can repurpose them for threat hunting. Future EDR solutions may harden DCOM interfaces, but legacy systems will remain vulnerable. Organizations should monitor DCOM activity and restrict ETW provider permissions proactively.
Prediction
As EDR solutions evolve, expect more attacks leveraging legitimate Windows components like PLA and DCOM. Defenders will counter with granular logging and AI-driven anomaly detection, but the arms race will persist.
IT/Security Reporter URL:
Reported By: Sektor7 Institute – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
