Challenge 27: Provider Unregistration
Medium ETW Bypass
Objective
Disable the MostShittyEDR’s ETW provider from the trace session without killing the session itself, so Rule 8’s session health check continues to pass.
Background
ETW trace sessions and providers are separate concepts:
- A session collects events from one or more providers
- A provider is registered by an application and emits events
- A controller can enable or disable providers within a session
Using the ETW controller APIs, you can selectively disable a specific provider from a session. The session continues to run (healthy), but the provider no longer emits events into it.
The Weakness
Rule 8 checks two things:
- Is
EtwEventWritepatched? (byte check) - Is the trace session still running? (session query)
It does not check whether the provider is still enabled in the session. Disabling the provider leaves both checks green while the telemetry goes dark.
Rules
- The EDR agent must be running with ETW enabled and admin privileges
- Disable the MostShittyEDR provider in the trace session
- The trace session must continue to exist (Rule 8 session check must pass)
- Verify no more ETW events are emitted by the agent
Hints
Hint 1
The provider GUID is hardcoded:{4D6F7374-5368-6974-7479-454452000000}. You can find it in the binary or in the source code.
Hint 2
logman update trace "SESSION" -p "{GUID}" 0 0 --ets can modify provider settings in a running session. Setting keywords and level to 0 effectively silences the provider.
Hint 3
Alternatively, useEnableTraceEx2 with EVENT_CONTROL_CODE_DISABLE_PROVIDER (0) to programmatically disable the provider in the session.
MostShittyEDR