ETW Logging Disabled In .NET Processes - Sysmon Registry

Severity: high
Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Source: upstream

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1112` Modify Registry
Defense Evasion	`T1112` Modify Registry, `T1562` Impair Defenses

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `1 of selection_etw_enabled`

Details: 'DWORD (0x00000000)'
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'

Stage 2: `1 of selection_complus`

Details: [0, 'DWORD (0x00000000)']
or:
TargetObject|endswith: '\COMPlus_ETWEnabled'
TargetObject|endswith: '\COMPlus_ETWFlags'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	eq	`0` corpus 4 (sigma 3, splunk 1) `DWORD (0x00000000)` corpus 38 (sigma 38)
`TargetObject`	ends_with	`SOFTWARE\Microsoft\.NETFramework\ETWEnabled` `\COMPlus_ETWEnabled` `\COMPlus_ETWFlags`