GET /api/techniques/177/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 177,
"key": "disabling-event-tracing-for-windows-etw",
"unprotect_id": "U0306",
"name": "Disabling Event Tracing for Windows (ETW)",
"description": "Many EDR solutions leverage Event Tracing for Windows (ETW) extensively. ETW allows for extensive instrumentation and tracing of a process functionality and WINAPI calls. It has components in the kernel, to register callbacks for system calls and other kernel operations, but also consists of a userland component that is part of ntdll.dll. \r\n\r\nSince ntdll.dll is a DLL loaded into the process of a binary, an attacker can have full control over this DLL and therefore the ETW functionality. The most common nypassing technique is patching the function EtwEventWrite which is called to write/log ETW events. It is possible to fetch its address in ntdll.dll, and replace its first instructions with instructions to return 0 (SUCCESS).",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/",
"creation_date": "2022-04-19T00:09:38.360000Z",
"tags": "anti-forensic",
"modification_date": "2023-10-04T10:42:56.937000Z",
"category": [
8
],
"rules": [],
"attachments": [],
"featured_api": [
425
],
"contributors": []
}
