Challenge 25: Kill the Trace Session
Easy ETW Bypass
Objective
Terminate the MostShittyEDR’s ETW trace session to blind its telemetry pipeline.
Background
The MostShittyEDR agent starts an ETW (Event Tracing for Windows) trace session to collect detection events as telemetry. Real EDRs use ETW extensively — it’s the primary mechanism for both user-mode and kernel-mode event collection on Windows.
ETW trace sessions are managed by controllers — any process with sufficient privileges can query, modify, or stop a trace session using tools like logman.exe or the ETW controller APIs.
The Weakness
The agent uses a hardcoded session name: MostShittyEDR-Telemetry. This name is:
- Discoverable by enumerating active trace sessions
- Stoppable by any process with admin privileges
- Not re-created if killed (the agent checks periodically, but there’s a gap)
Rules
- The EDR agent must be running with
--verboseand admin privileges - Terminate the ETW trace session so the agent can no longer emit telemetry events
- Rule 8 will detect the session loss — but only on the next check cycle
Hints
Hint 1
List all active ETW trace sessions on the system. What tool shows you running sessions?Hint 2
logman query -ets lists all active Event Trace Sessions. Look for the MostShittyEDR session name.
Hint 3
logman stop "SESSION_NAME" -ets terminates a running trace session.
MostShittyEDR