ETW Provider Toggling

ETW Microsoft-Windows-Threat-Intelligence provider is an ETW provider that has been introduced in windows 10.

This provider logs information regarding a nice amount of API’s that are commonly used in malicious activities.

The actions logged by this provider may be observed using Pavel Yosifovch’s tool – ETW Explorer:

As you can see, most malicious activities would include an action logged by this provider one way or another.

In order to turn off the provider the following steps must be taken:

1.Jump to KernelBase + EtwThreatIntProvRegHandle offset to receive a _ETW_REG_ENTRY which represents the TI Provider

2.In the _ETW_REG_ENTRY locate the _ETW_GUID_ENTRY member called GuidEntry

3.Inside GuidEntry locate ProviderEnableInfo of type _TRACE_ENABLE_INFO

4.The first member of _TRACE_ENABLE_INFO is IsEnabled – write 0 / 1 to turn on and off accordingly

The code looks like this:

Lazarus attacks carried on the Autumn of 2021 have used this very technique in order to turn off ETW providers in their victim machines, using a number of additional providers, which are only different “RegHnadles”.