Challenge 27: Provider Unregistration

Medium ETW Bypass

Objective

Disable the MostShittyEDR’s ETW provider from the trace session without killing the session itself, so Rule 8’s session health check continues to pass.

Background

ETW trace sessions and providers are separate concepts:

Using the ETW controller APIs, you can selectively disable a specific provider from a session. The session continues to run (healthy), but the provider no longer emits events into it.

The Weakness

Rule 8 checks two things:

  1. Is EtwEventWrite patched? (byte check)
  2. Is the trace session still running? (session query)

It does not check whether the provider is still enabled in the session. Disabling the provider leaves both checks green while the telemetry goes dark.

Rules

  1. The EDR agent must be running with ETW enabled and admin privileges
  2. Disable the MostShittyEDR provider in the trace session
  3. The trace session must continue to exist (Rule 8 session check must pass)
  4. Verify no more ETW events are emitted by the agent

Hints

Hint 1 The provider GUID is hardcoded: {4D6F7374-5368-6974-7479-454452000000}. You can find it in the binary or in the source code.
Hint 2 logman update trace "SESSION" -p "{GUID}" 0 0 --ets can modify provider settings in a running session. Setting keywords and level to 0 effectively silences the provider.
Hint 3 Alternatively, use EnableTraceEx2 with EVENT_CONTROL_CODE_DISABLE_PROVIDER (0) to programmatically disable the provider in the session.