From 59a04add34cfa61d8df5b3033f6a3fcf57c53d28 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Sat, 6 Jun 2020 14:36:37 +0200
Subject: [PATCH] Extended suspicious env variable set to disable ETW

---
 yara/gen_suspicious_strings.yar | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/yara/gen_suspicious_strings.yar b/yara/gen_suspicious_strings.yar
index 0ed1fe5..c3aedea 100644
--- a/yara/gen_suspicious_strings.yar
+++ b/yara/gen_suspicious_strings.yar
@@ -364,10 +364,17 @@ rule SUSP_Disable_ETW_Jun20_1 {
    meta:
       description = "Detects method to disable ETW in ENV vars before exeucting a program"
       author = "Florian Roth"
-      reference = "https://twitter.com/_xpn_/status/1268712093928378368"
+      reference = "https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3"
       date = "2020-06-06"
    strings:
       $x1 = "set COMPlus_ETWEnabled=0" ascii wide fullword
+      $x2 = "$env:COMPlus_ETWEnabled=0" ascii wide fullword
+
+      $s1 = "Software\\Microsoft.NETFramework" ascii wide
+      $sa1 = "/v ETWEnabled" ascii wide fullword 
+      $sa2 = " /d 0" ascii wide
+      $sb4 = "-Name ETWEnabled"
+      $sb5 = " -Value 0 "
    condition:
-      $x1
+      1 of ($x*) or 3 of them 
 }