Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors

Conference:  BlackHat USA 2021



The presentation discusses the architecture and features of Event Tracing for Windows (ETW) and the importance of detecting and preventing attacks on it to ensure effective cybersecurity solutions.
  • ETW is a built-in Windows login mechanism designed to observe and analyze application behavior.
  • ETW has three distinct components: controllers, providers, and consumers.
  • ETW is used in large-scale business solutions such as Docker and Amazon CloudWatch.
  • ETW is crucial for effective cybersecurity solutions, but attacks on it can blind security solutions that rely on it.
  • The presentation introduces two new attacks on ETW and two solutions, ETW Check and Memory Ranger, to detect and prevent attacks on it.
  • Memory Ranger is a hypervisor-based utility that prevents attacks on kernel memory.
  • ETW Check is a tool that detects attacks on ETW.
  • It is important for security solutions to receive signals from both below and above the operating system to effectively respond to threats.
One of the first examples of using ETW tools to reveal and analyze malicious behavior was presented by Mark Kucinovich in his top malware hunting with Sysinternals tools about 10 years ago. Since then, developers of other EDRs have leveraged ETW to monitor security-related events and to successfully detect and respond to cutting-edge malware.


Event Tracing for Windows (ETW) is a built-in feature, originally designed to perform software diagnostics, and nowadays ETW is essential for Endpoint Detection & Response (EDR) solutions. ETW is deeply integrated into the Windows kernel and involved in many API calls to trace OS events. ETW functions are used by numerous EDRs, business and academic projects to respond to security threats. The bad news for defenses is that ETW is vulnerable: malware countermeasures can disable ETW making the whole class of EDRs totally useless. We will give an analysis of the existing attacks on ETW, uncover some ETW internals: data structures and reversing kernel API routines to demonstrate two new attacks on ETW. These attacks blind ETW-based EDRs, without triggering any OS security features, such as KPP. A newly released tool Binarly Sensor can detect both attacks, while an updated MemoryRanger can prevent only the second one. The first attack is focused on NT Kernel Logger Session. Process Monitor collects network events by using this logger. To blind Process Monitor, we will use an app to illegally stop a running NT Kernel Logger Session. Circular Kernel Context Logger and other logger sessions can be attacked similarly. The second attack is focused on ETW Logger sessions used by Windows Defender. The attack is based on patching ETW data structures. We will demonstrate a kernel driver to query information and stop ETW Logger sessions, which results in disabling defense mechanisms.A new protection tool, called Binarly Sensor, can reveal both attacks. It uses a kernel driver to extract information about critical OS data and code. It can disclose various attacks on the Windows kernel.These attacks impact all versions of Windows from Vista to 11, which is crucial for the design of the core features of ETW.