ITSEC Newsletter 2024-04-18

As of late, I have gotten a lot of questions around Event Tracing for Windows (ETW) patching, specifically the following questions: Which ETW providers can be patched (kernel-mode vs. user-mode)? What does it mean to actually patch out an ETW Provider? How can you detect ETW patching? These are all valuable questions, so I decided to write up on these questions and answer any misconceptions or misunderstandings people have about ETW patching.

This project was heavily inspired by the Kubernetes Threat Matrix from Microsoft which is a great starting point as it provides a framework to help understand some of the concepts in a MITRE ATTACK style framework. The Microsoft Threat Matrix was explicitly not designed to be a playbook offensive for security professionals and thus it lacks the details necessary to actually exploit (and remediate) each attack in Kubernetes cluster.

This article will cover setting up, collecting data, analyzing the data, and providing value with that data. This will use the GOADv2 forest as sample data for collection and analysis. I’ve already collected some sample data and placed it on a repository to ingest for analysis and practice.

In April 2022, Microsoft released a report detailing how the “Tarrask” malware manipulated the Security Descriptor of Scheduled Tasks as a defense evasion technique to hide malicious scheduled tasks from discovery using traditional audit tools such as Autoruns, “schtasks /query”, and the Windows Task Scheduler GUI. To help defenders further understand the security implications of manipulating the SD registry value for a scheduled task, ARC Labs performed further research to expand on potential techniques to hide scheduled tasks that evade the current detection guidance and highlight additional telemetry gaps in traditional auditing mechanisms.