Listen to this Post
Jonathan Johnson, Principal Windows Security Researcher at Huntress, explores a novel approach to deploying a “Remote EDR” using DCOM interfaces to enable remote ETW (Event Tracing for Windows) trace sessions without requiring disk-based agents. This method enhances stealth and reduces forensic footprints.
Key Resources:
- Detailed Write-up: Remote EDR via DCOM Interfaces
- GitHub Project: JonMon-Lite
You Should Know:
1. Enabling Remote ETW via DCOM
DCOM (Distributed Component Object Model) interfaces allow remote system interaction. The research leverages `IEventSubscription` and `IEtwTraceSession` interfaces to initiate ETW sessions.
PowerShell Command to List DCOM Interfaces:
Get-CimInstance -Namespace "root\cimv2" -ClassName Win32_DCOMApplication | Select Name, AppID
C++ Snippet for Remote ETW Initialization:
CoInitializeEx(NULL, COINIT_MULTITHREADED); IEventSubscription pSub = NULL; HRESULT hr = CoCreateInstance(CLSID_CEventSubscription, NULL, CLSCTX_ALL, IID_IEventSubscription, (void)&pSub);
2. Avoiding Disk Artifacts
Traditional EDRs drop DLLs or executables. This method uses in-memory execution via:
Invoke-Command -ComputerName TARGET -ScriptBlock {
logman.exe create trace "RemoteEDR" -ow -o C:\Windows\Temp\Trace.etl
}
3. Securing Remote Sessions
John Cartrett’s feedback highlights security concerns with administrative shares (C$). Mitigate risks using:
– Write-Only Guest Shares:
net share EDR_Logs=C:\EDR_Logs /GRANT:Guest,WRITE
– Machine Account Restrictions:
icacls C:\EDR_Logs /grant "NT AUTHORITY\NETWORK SERVICE:(W)"
4. Extracting ETW Logs
Use `tracerpt` to parse binary logs:
tracerpt C:\Windows\Temp\Trace.etl -o parsed.csv -of CSV
5. Detecting Malicious ETW Sessions
Hunt for rogue sessions via:
Get-WinEvent -ListLog | Where-Object { $_.LogName -match "RemoteEDR" }
What Undercode Say:
Deploying EDR without disk interaction is a game-changer for red teams and defenders. However:
– Monitor DCOM Activations:
Get-WinEvent -LogName "Microsoft-Windows-DCOM/Operational" | Where-Object { $_.ID -eq 10001 }
– Restrict ETW Providers:
wevtutil sl "Microsoft-Windows-ETW" /ca:"O:SYG:SYD:(A;;0x1;;;BA)(A;;0x1;;;SY)"
– Linux Parallel (Auditd):
auditctl -a always,exit -S all -F pid=!1234 -k Remote_Monitoring
Expected Output: A stealthy, real-time ETW trace session logged to a secured share, parsed for analysis without disk writes.
Prediction:
Remote EDR techniques will evolve to exploit more undocumented DCOM/RPC interfaces, forcing Microsoft to harden ETW permissions in future Windows builds. Defenders should prioritize monitoring `IEventSubscription` activations in enterprise environments.
Relevant URLs:
IT/Security Reporter URL:
Reported By: Jonathan Johnson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
