Image Source: Loss Prevention Management
Security researchers have developed two new attacks methods that can be used to blind cybersecurity products. At a Black Hat Europe Cybersecurity conference at Binarly, these methods were presented. There is a specific mechanism called Event Tracing for Windows (ETW), which is provided by default with the Windows OD since Window XP.
The ETW system is designed for tracing and logging events linked with user-mode applications and Kernel-mode drivers. The ETW in Window 11 can collect more than 50,000 event types from roughly 1,000 providers, including operating system services, cybersecurity tools, common applications, DLLs, the OS Kernel, and drivers.
ETW is leveraged by a few endpoint detection and response (EDR) solutions to monitor security-related events and detect malware. Threat actors include profit-driven cybercriminals and state-sponsored cyberspies, have been known to disable ETW in their attacks in an effort to avoid detections. To exemplify, China-linked APT41, the LockerGoga ransomware, and the U.S-linked Slingshot campaign.
ETW has also been increasingly targeted by security researchers, with well over a dozen identified in 2021 alone, and tens of attack techniques presented over the past years.
ETW bypass techniques and their effectiveness against windows defender and Process Monitor. In the case of Process Monitor case, the researchers showed that a malicious app with admin advantage on a targeted system was able to halt the ETW session linked to Process Monitor and create a fake session, which eventually resulted in the app no longer receiving network activity telemetry, simply blinded by the attacker, in addition, the issue does not get fixed even when Process Monitor is restarted.
Image Source: ISG
In the case of Windows Defender, the researcher explained that it could be blinded by specifying zero to registry values related to ETW sessions. This was done by the malicious Kernel driver, by changing the kernel memory field in Kernel structures related to ETW sessions of Windows Defender.
These attack methods have not been exploited by any cybercriminals or spotted in the wild. Since the goal of these attacks is to blind EDR products, the exploitation would be very difficult to detect. Therefore, the security community should stay aware regarding such attacks and implement proactive defense strategies.