Cybercriminals are seen to disable ETW to evade security detection

January 6, 2022
Cybercriminals ETW Evade Security Detection Event Tracing for Windows Event Viewer

Threat actors are discovered to be disabling the Event Tracing for Windows (ETW) tool in their attacks to blind cybersecurity products that rely on its logging mechanisms and sidestep being detected.

The Event Tracing for Windows or ETW is a default tool in Windows machines developed to trace and log events of user-mode applications and kernel-mode drivers. For Windows 11 version, the tool can acquire over 50,000 event types from about a thousand providers, like operating system services, common applications, the OSL kernel, DLLs, cybersecurity tools, and drivers.

ETW is also used by many endpoint detection and response (EDR) solutions in monitoring security-related incidents and malware detection.

 

However, threat actors are known to disable ETW to evade the detection of cybersecurity products during attacks.

 

Both profit-driven cybercriminals and state-backed cyberspies are discovered to disable the tool during attacks, including LockerGoga ransomware, China’s APT41, and the US’s Slingshot campaign. Aside from these threat actors, security researchers are also focusing on the tool since they identified more than a dozen flaws in it for 2021 alone and multiple attack techniques shown for the past years.

During a cybersecurity conference, researchers have presented new ETW attack methods distributed by attackers. Two new ETW bypassed techniques were identified at the session demonstrated against Microsoft’s Windows Defender and Process Monitor.

Microsoft’s Windows Defender is prone to be blinded by threat actors by assigning zero to the registry values conforming to the ETW sessions. The process is done by a malicious kernel driver’s kernel memory by modifying fields in its structures related to Windows Defender ETW sessions.

On the other hand, despite being well-known for malware analysis, researchers found that Process Monitor associated with the tool can be impeded by any malicious application with admin privileges on the targeted system and launch a fake session while executing attacks. The application will not receive any network activity telemetry because of the disruption, which blinds ETW, and is not fixed even if users restart the Process Monitor.

Researchers also highlighted that the attacks against Windows Defender and Process Monitor are capable of disabling a full set of security solutions. Nonetheless, the issues were brought up to raise awareness among users, developers, and the industry about the architectural problem and find ways to fix it.

About the author

Leave a Reply