Event Tracing for Windows (ETW)
Last updated
Last updated
Event Tracing for Windows (ETW) is a high-performance event tracing framework in Windows that enables real-time monitoring, logging, and analysis of system and application events. It is a valuable tool for threat detection, incident response, and forensic investigations.
High-speed tracing: ETW operates with minimal performance impact, allowing real-time event logging.
Extensive event coverage: Logs system calls, process activity, network events, file modifications, and more.
Flexible architecture: Supports both kernel-mode and user-mode event providers.
Customizable logging: Users can define and enable event providers tailored to their security and monitoring needs.
Seamless integration: Works with Microsoft tools such as PowerShell (Get-WinEvent) and Message Analyzer for event retrieval and analysis.
ETW follows a publish-subscribe model with the following key components:
Manage ETW trace sessions.
Enable or disable providers.
Examples: logman.exe (built-in utility for managing ETW logs).
Generate and log events. There are four types of providers:
MOF Providers: Use Managed Object Format (MOF) schemas to define events.
WPP Providers: Use Windows Software Trace Preprocessor (WPP) macros in source code for event generation.
Manifest-based Providers: Define events using XML manifests for flexibility.
TraceLogging Providers: Utilize the TraceLogging API for simplified event generation.
Subscribe to events for processing and analysis.
Events are stored in .ETL (Event Trace Log) files for offline analysis.
Consumers can also access events via Windows API.
Logical containers that help organize and filter events.
Consumers subscribe to specific channels based on event importance.
Store event logs for forensic analysis and archival.
ETW supports efficient log rotation and management.
Some ETW providers are disabled by default to reduce resource consumption.
Only ETW provider events with a Channel property can be consumed by the event log.
ETW can be extended through custom event providers.
PowerShell (**Get-WinEvent**): Retrieve and filter ETW logs.
Microsoft Message Analyzer: Advanced event parsing and correlation.
Windows Performance Analyzer (WPA): Analyze system performance using ETW logs.
Logman is a pre-installed utility for managing Event Tracing for Windows (ETW) and Event Tracing Sessions. This tool is invaluable for creating, initiating, halting, and investigating tracing sessions.
-ets parameter will allow for a direct investigation of the event tracing sessions, providing insights into system-wide tracing sessions
When we examine an Event Tracing Session directly, we uncover specific session details including the Name, Max Log Size, Log Location, and the subscribed providers. This information is invaluable for incident responders.
For each provider subscribed to the session, we can acquire critical data:
Name / Provider GUID: This is the exclusive identifier for the provider.
Level: This describes the event level, indicating if it's filtering for warning, informational, critical, or all events.
Keywords Any: Keywords create a filter based on the kind of event generated by the provider.
By using the logman query providers command, we can generate a list of all available providers on the system, including their respective GUIDs.
Windows 10 includes more than 1,000 built-in providers. Moreover, Third-Party Software often incorporates its own ETW providers, especially those operating in Kernel mode.
Because of the high humber of providers, use the findstr command to filter the one you need
By specifying a provider with Logman, we gain a deeper understanding of the provider's function. This will inform us about the Keywords we can filter on, the available event levels, and which processes are currently utilizing the provider.
The Microsoft-Windows-Winlogon/Diagnostic and Microsoft-Windows-Winlogon/Operational keywords reference the event logs generated from this provider.
Performance Monitor
Microsoft-Windows-Kernel-Process: Tracks process activities, useful for detecting malware techniques like injection or hollowing.
Microsoft-Windows-Kernel-File: Monitors file operations for unauthorized access or ransomware activity.
Microsoft-Windows-Kernel-Network: Detects network-based attacks, such as exfiltration or C2 communication.
Microsoft-Windows-SMBClient/SMBServer: Monitors SMB traffic for signs of lateral movement or data exfiltration.
Microsoft-Windows-DotNETRuntime: Identifies anomalies in .NET application execution or malicious assembly loading.
OpenSSH: Tracks SSH connections and authentication attempts, useful for detecting brute force attacks.
Microsoft-Windows-VPN-Client: Monitors VPN client events for unauthorized connections.
Microsoft-Windows-PowerShell: Detects suspicious PowerShell activity and misuse.
Microsoft-Windows-Kernel-Registry: Monitors registry changes linked to malware installation or persistence.
Microsoft-Windows-CodeIntegrity: Tracks code and driver integrity, identifying unsigned or malicious code.
Microsoft-Antimalware-Service: Detects issues with antimalware services, like evasion or disabled protection.
WinRM: Monitors remote management activity for signs of lateral movement or remote execution.
Microsoft-Windows-TerminalServices-LocalSessionManager: Tracks local Terminal Services sessions for unauthorized remote desktop activity.
Microsoft-Windows-Security-Mitigations: Tracks security mitigations to identify bypass attempts.
Microsoft-Windows-DNS-Client: Monitors DNS activity to detect DNS-based attacks or C2 communication.
Microsoft-Antimalware-Protection: Tracks antimalware protection for evasion or disabled features.
Certain ETW providers in Windows are "restricted," offering valuable telemetry that is only accessible to processes with specific permissions, ensuring sensitive system data is protected.
One of these high-value, restricted providers is Microsoft-Windows-Threat-Intelligence. This provider offers crucial insights into potential security threats and is often leveraged in Digital Forensics and Incident Response (DFIR) operations.
Access to this provider requires Protected Process Light (PPL) permissions, typically granted to anti-malware vendors after a thorough application process with Microsoft.
[!NOTE] According to Elastic: To be able to run as a PPL, an anti-malware vendor must apply to Microsoft, prove their identity, sign binding legal documents, implement an Early Launch Anti-Malware (ELAM) driver, run it through a test suite, and submit it to Microsoft for a special Authenticode signature. It is not a trivial process. Once this process is complete, the vendor can use this ELAM driver to have Windows protect their anti-malware service by running it as a PPL.
https://web.archive.org/web/20231030010850/https://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw
With that said, .
