Skip to content

PoC to demonstrate how CLR ETW events can be tampered.

Notifications You must be signed in to change notification settings

outflanknl/TamperETW

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 

Repository files navigation

TamperETW

A proof of concept to demonstrate how CLR ETW events can be filtered/tampered

MDSec's Adam Chester (@_xpn_) recently published a great blog on how Red Teams can hide the loading of .NET assemblies by disabling .NET ETW telemetry. In his blog he included proof of concept code which demonstrates how to dismantle ETW telemetry by patching the native EtwEventWrite function.

Based on his research, I wrote an x64 version / proof of concept that uses native system calls to place an inline hook on the EtwEventWrite function.

By hooking EtwEventWrite and redirecting the program flow to our custom MyEtwEventWrite function, we can intercept the function arguments and inspect or change the data (EVENT_DESCRIPTOR and EVENT_DATA_DESCRIPTOR data structures). We then use the native EtwEventWriteFull function to selectively forward .NET ETW events. In this PoC we block a few ETW (CLR) event from being send, for example assembly loading events (AssemblyDCStart_V1), but with a bit more work it should be possible to spoof the assembly names before being submitted with EtwEventWriteFull.

alt text

Usage:

Download the TamperETW folder and execute the TamperETW executable within the x64/releases folder (or recompile from source).
When the MessageBox pops up, use Process Explorer or Process Hacker to watch the loaded .NET assemblies (ETW telemetry). 

Credits

PoC Author: Cornelis de Plaa (@Cneelis) / Outflank. Based on research from: Adam Chester (@_xpn_) / MDSec

About

PoC to demonstrate how CLR ETW events can be tampered.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published