From 8a2891aa01cd3b3c680bd5c4a370c3eae2c0f705 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Date: Wed, 11 Dec 2024 02:01:25 +0100
Subject: [PATCH] COMPlus_ETWEnabled Atomics (#3010)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1562.006/T1562.006.yaml | 34 ++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/atomics/T1562.006/T1562.006.yaml b/atomics/T1562.006/T1562.006.yaml
index ba249b85..f79e451a 100644
--- a/atomics/T1562.006/T1562.006.yaml
+++ b/atomics/T1562.006/T1562.006.yaml
@@ -201,3 +201,37 @@ atomic_tests:
       Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
     name: powershell
     elevation_required: true
+- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
+  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
+  supported_platforms:
+  - windows
+  executor:
+    command: REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
+    cleanup_command: REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1
+    name: command_prompt
+- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
+  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
+  supported_platforms:
+  - windows
+  executor:
+    command: New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
+    cleanup_command: Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
+    name: powershell
+- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
+  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
+  supported_platforms:
+  - windows
+  executor:
+    command: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
+    cleanup_command: REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
+  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
+  supported_platforms:
+  - windows
+  executor:
+    command: New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
+    cleanup_command: Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled
+    name: powershell
+    elevation_required: true