Explore the power of Event Tracing for Windows (ETW) for detecting intrusions in this comprehensive conference talk from GrrCON 2017. Dive into ETW's capabilities, including its visibility and overview, and learn how to capture and interpret ETW events. Discover real-time ETW solutions, with practical examples using krabsetw for DNS lookups, PowerShell DLL loading, command execution, and thread injection. Revisit the forensic wishlist, covering process starts, PowerShell activities, data exfiltration, and remote thread injection. Address challenges like event overload and learn techniques for reducing event volume and identifying different types of signals. Gain insights into performance, reliability, and tamper resistance of ETW-based solutions. Understand how red teams approach ETW and explore ways to implement ETW in your own environment. Conclude with a look at future developments and an opportunity for questions.
Overview
Syllabus
Intro
ETW to the rescue
ETW visibility
ETW overview
What does an event look like?
How do you capture ETW events?
Real-time ETW solutions
krabsetw DNS lookup example
krabsetw PowerShell DLL load example
krabsetw PowerShell command example
krabsetw thread injection example
Forensic wishlist, revisited
Process Start
PowerShell DLL Loaded
Obfuscated PowerShell
Data Exfiltration
Malicious PowerShell
Remote Thread Injection
Event overload!
Reducing event volume
Types of signals
Techniques applied
Performance & Reliability
Tampering
How does the Red team do?
How can you use ETW in your environment?
What's next?
Questions?
