LoFP / setting the \"complus_etwenabled\" value as a global environment variable either in user or machine scope should only happens during debugging use cases, hence the false positives rate should be very minimal.

Techniques

• T1562
• T1562.006

Sample rules

Windows Registry Dotnet ETW Disabled Via ENV Variable

• source: splunk
• technicques:
  • T1562.006
  • T1562

Description

The following analytic detects a registry modification that disables the ETW for the .NET Framework. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the COMPlus_ETWEnabled registry value under the “Environment” registry key path for both user (HKCU\Environment) and machine (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment) scopes. This activity is significant because disabling ETW can allow attackers to evade Endpoint Detection and Response (EDR) tools and hide their execution from audit logs. If confirmed malicious, this action could enable attackers to operate undetected, potentially leading to further compromise and persistent access within the environment.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path="*\\Environment*" Registry.registry_value_name="COMPlus_ETWEnabled" (Registry.registry_value_data=0x000000000 OR Registry.registry_value_data=0) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_registry_dotnet_etw_disabled_via_env_variable_filter`