ETW Logging Disabled In .NET Processes - Registry

Severity: high
Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Source: upstream

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1112` Modify Registry
Defense Evasion	`T1112` Modify Registry, `T1562` Impair Defenses

Event coverage

Provider	Event ID	Title
Security-Auditing	4657	A registry value was modified.

Stages and Predicates

Stage 1: `1 of selection_etw_enabled`

NewValue: 0
ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
ObjectValueName: ETWEnabled

Stage 2: `1 of selection_complus`

ObjectValueName: [COMPlus_ETWEnabled, COMPlus_ETWFlags]
NewValue: 0
ObjectName|contains: '\Environment'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`NewValue`	eq	`0` corpus 4 (sigma 3, splunk 1)
`ObjectName`	ends_with	`\SOFTWARE\Microsoft\.NETFramework`
`ObjectName`	match	`\Environment`
`ObjectValueName`	eq	`COMPlus_ETWEnabled` `COMPlus_ETWFlags` `ETWEnabled`