Two new attack methods have been created by security researchers that can be used to blind cybersecurity products. Presented at a cybersecurity conference, these methods use a logging mechanism called Event Tracing for Windows (ETW), which is provided by default with the Windows OS since Windows XP.

What’s new?

Researchers from Binarly have disclosed two ETW bypass techniques and demonstrated their effectiveness against Windows Defender and Process Monitor.
  • In the case of Process Monitor case, the researchers demonstrated that a malicious app with admin privileges on a targeted system was able to stop the ETW session linked to Process Monitor and create a fake session.
  • This resulted in the app no longer receiving network activity telemetry, simply blinded by the attacker. Moreover, the issue does not get fixed even when Process Monitor is restarted.
  • In the Windows Defender case, the researchers explained that it could be blinded by specifying zero to registry values related to ETW sessions.
  • This was done by the malicious kernel driver, by modifying kernel memory fields in kernel structures related to ETW sessions of Windows Defender.

In the past, several threat actors, including APT41, LockerGoga, and Slingshot APT, have been observed abusing ETW to target their victims, although not in the manner demonstrated by the researchers.

Additional insights

According to researchers, the methods are very practical and secure ETW sessions can be tampered with by modifying various fields in a kernel structure. 
  • Binarly has developed open-source tools that can be used to identify and stop ETW attacks. Additionally, these tools will be available to use in a short period of time.
  • The researchers have demonstrated their attacks on Process Monitor and Windows Defender. However, they claim that these types of attacks can be used to disable an entire set of security solutions.

Ending notes

At present, these attack methods have not been exploited by any cybercriminals or spotted in the wild. Moreover, since the goal of these attacks is to blind EDR products, the exploitation would be very hard to detect. Therefore, the security community should stay aware regarding such attack methods and implement proactive defense strategies.

Cyware Publisher