security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

COMPlus_ETWEnabled Atomics (#3010)

Browse Source 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Nasreddine Bencherchali
2024-12-11 02:01:25 +01:00
committed by GitHub
parent 51d195d066
commit 8a2891aa01
1 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1562.006/T1562.006.yaml
+34
View File
@@ -201,3 +201,37 @@ atomic_tests:
Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
supported_platforms:
- windows
executor:
command: REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
cleanup_command: REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1
name: command_prompt
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
supported_platforms:
- windows
executor:
command: New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
cleanup_command: Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
name: powershell
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
supported_platforms:
- windows
executor:
command: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
cleanup_command: REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
name: command_prompt
elevation_required: true
- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
supported_platforms:
- windows
executor:
command: New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
cleanup_command: Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled
name: powershell
elevation_required: true