Detection rules › Splunk
ETW Registry Disabled
The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the ETWEnabled registry value under the .NETFramework path. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1127 Trusted Developer Utilities Proxy Execution, T1562.006 Impair Defenses: Indicator Blocking |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: tstats
tstats WHERE Registry.registry_path="*\\SOFTWARE\\Microsoft\\.NETFramework*" Registry.registry_value_data=0x00000000 Registry.registry_value_name="ETWEnabled" BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product
Stage 2: search
search
Stage 3: where
where isnotnull(registry_value_data)
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Registry.registry_path | eq |
|
Registry.registry_value_data | eq |
|
Registry.registry_value_name | eq |
|