For all windows internals people -- anyone know which windows processes are commonly responsible for event tracing (using evntprov.h)? I'd like to hook EventWriteTransfer as a means of surgically suppressing certain event logging during red team scenarios. 1/?
1
0
0
For example, could it be as easy as identifying the target process, injecting your dll, using detours to set the hook with the added logic "if(EventDescriptor->Id == 4624){ return ERROR_SUCCESS; }"? 2/?
1
0
0
I suppose my question is this: does anyone know which process is commonly responsible for the Microsoft-Windows-Security-Auditing event tracing provider?
1
0
0
Windows Internals pt 1 talks about how the event tracing functionality is implemented within Ntdll.dll. I'm living in userland and hoping to hook userland memory...Is it possible that some userland processes have ETW event handlers that can be hooked? 4/?
1
0
0
ANSWER: I found out how to do what I wanted. Here's an awesome article by @_batsec_ blog.dylan.codes/pwning-wind… It turns out that you can just check every process for whether it contains the module wevtsvc.dll. Then you inject into that process and patch EtwEventCallback 5/?

9:36 PM · Jan 14, 2021

1
4
8
Replying to @infosecuriti
Glad it's helpful. I've written a couple YARA rules to disable detection for some common techniques. Feel free to add any others you find useful.
0
0
2