Explore the power of Event Tracing for Windows (ETW) for detecting intrusions in this comprehensive conference talk from Derbycon 7. Dive into ETW's capabilities, including its visibility and overview, and learn how to capture and interpret ETW events. Discover real-time ETW solutions through practical examples using krabset, such as DNS lookups, PowerShell DLL loads, and thread injection detection. Revisit the forensic wishlist and examine various attack scenarios, including process starts, obfuscated PowerShell, and data exfiltration. Address challenges like event overload and learn techniques for reducing event volume and identifying different types of signals. Explore performance, reliability, and tampering concerns, and gain insights into how red teams operate. Conclude with practical advice on implementing ETW in your environment and a glimpse into future developments in this field.
Overview
Syllabus
Intro
ETW to the rescue
ETW visibility
ETW overview
What does an event look like?
How do you capture ETW events?
Real-time ETW solutions
krabset DNS lookup example
krabsetw PowerShell DLL load example
krabsetw PowerShell method example
krabsetw thread injection example
Forensic wishlist, revisited
Process Start
PowerShell DLL Loaded
Obfuscated PowerShell
Data Exfiltration
Malicious PowerShell
Remote Thread Injection
Event overload!
Reducing event volume
Types of signals
Techniques applied
Performance & Reliability
Tampering
How does the Red team do?
How can you use ETW in your environment?
What's next?
Questions?
