From d3e261862de3448e192964340dc864734cfcebe2 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Sat, 6 Jun 2020 15:42:22 +0200
Subject: [PATCH] merged Cyb3rWarD0g's rules

---
 .../windows/builtin/win_etw_modification.yml  | 32 ++++++++++++++++
 .../win_etw_modification_cmdline.yml          | 28 ++++++++++++++
 rules/windows/sysmon/sysmon_etw_disabled.yml  | 37 +++++++++++--------
 3 files changed, 81 insertions(+), 16 deletions(-)
 create mode 100644 rules/windows/builtin/win_etw_modification.yml
 create mode 100644 rules/windows/process_creation/win_etw_modification_cmdline.yml

diff --git a/rules/windows/builtin/win_etw_modification.yml b/rules/windows/builtin/win_etw_modification.yml
new file mode 100644
index 000000000..489bcd8d2
--- /dev/null
+++ b/rules/windows/builtin/win_etw_modification.yml
@@ -0,0 +1,32 @@
+title: COMPlus_ETWEnabled Registry Modification
+id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
+status: experimental
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+references:
+  - https://twitter.com/_xpn_/status/1268712093928378368
+  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+  - https://bunnyinside.com/?term=f71e8cb9c76a
+  - http://managed670.rssing.com/chan-5590147/all_p1.html
+  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/05
+tags:
+    - attack.defense_evasion
+    - attack.t1112
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4657
+        ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework' 
+        ObjectValueName: 'ETWEnabled'
+        NewValue: '0'
+    condition: selection
+falsepositives:
+    - unknown
+level: critical
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_etw_modification_cmdline.yml b/rules/windows/process_creation/win_etw_modification_cmdline.yml
new file mode 100644
index 000000000..7a7750fab
--- /dev/null
+++ b/rules/windows/process_creation/win_etw_modification_cmdline.yml
@@ -0,0 +1,28 @@
+title: COMPlus_ETWEnabled Command Line Arguments
+id: 41421f44-58f9-455d-838a-c398859841d4
+status: experimental
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+references:
+  - https://twitter.com/_xpn_/status/1268712093928378368
+  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+  - https://bunnyinside.com/?term=f71e8cb9c76a
+  - http://managed670.rssing.com/chan-5590147/all_p1.html
+  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: 'COMPlus_ETWEnabled=0'
+    condition: selection
+falsepositives:
+    - unknown
+level: critical
\ No newline at end of file
diff --git a/rules/windows/sysmon/sysmon_etw_disabled.yml b/rules/windows/sysmon/sysmon_etw_disabled.yml
index 073f2ee95..98560fdf5 100644
--- a/rules/windows/sysmon/sysmon_etw_disabled.yml
+++ b/rules/windows/sysmon/sysmon_etw_disabled.yml
@@ -1,26 +1,31 @@
-title: ETW Disabled
-id: 11985f9f-2590-4f59-beea-88cc0507f350
+title: COMPlus_ETWEnabled Registry Modification
+id: 41421f44-58f9-455d-838a-c398859841d4
 status: experimental
-description: Detects methods that disable ETW (Event Tracing) to evade detection
-references: 
-    - https://twitter.com/_xpn_/status/1268712093928378368?s=20
-    - https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3
+description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
+references:
+  - https://twitter.com/_xpn_/status/1268712093928378368
+  - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+  - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+  - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+  - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+  - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+  - https://bunnyinside.com/?term=f71e8cb9c76a
+  - http://managed670.rssing.com/chan-5590147/all_p1.html
+  - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/05
 tags:
     - attack.defense_evasion
-    - attack.t1089
-author: Florian Roth
-date: 2020/06/06
+    - attack.t1112
 logsource:
     product: windows
     service: sysmon
 detection:
     selection:
-        EventID: 13  # value set
-        TargetObject|contains: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
-        Details|contains: '0x00000000'
+        EventID: 13
+        TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
+        Details: 'DWORD (0x00000000)'
     condition: selection
-fields:
-    - Image
 falsepositives:
-    - Services or programs that disable the ETW temporarily
-level: high
+    - unknown
+level: critical
\ No newline at end of file