Event Tracing For Windows

Bring in the big guns!

Event Tracing for Windows (ETW)

Framework Built into windows
Matches Consumers to Providers
Forms the basis of the windows event logs
Traces can be either written to file or read directly by consumers.

https://docs.microsoft.com/en-us/windows-hardware/test/weg/instrumenting-your-code-with-etw

How does ETW work ?

Various software packages throughout the Operating System register themselves as an Event Provider using a unique GUID
As the software operates, various logging points within the code send "Events" to the provider.
The operating system simply matches consumers with providers
A consumer registers interest in a particular provider using the GUID
Note that if no consumers are interested ETW logging points are essentially free.

ETW Providers

Any software can define an ETW provider
There is no consistency - some providers are detailed - some not
Discoverability is an issue! Some providers are less documented
It is sometimes possible to infer a lot of providers from their manifest files.
There are some public efforts to better document the available providers.

View ETW providers registered

Some information can be gathered by using the command

logman query providers

Monitoring the ETW stream

As an example, we will illustrate how to follow an ETW stream with the watch_etw() plugin.
VQL allows Velociraptor to attach to an ETW stream and filter, enrich or respond to events directly on the endpoint.
We can use WEP Explorer to explore interesting sources of ETW events.

WEP Explorer shows the different events available

Monitoring for DNS sources

Collecting DNS lookup from the entire fleet

Unique ETW sources: Process parent spoofing

ETW can provide information that is not normally available - for example reliable process parent/child relationships.
Many detections rely on parent/child relationships
The Windows CreateProcess() API allows the caller to specify the parent of a process.
This means it is trivial to spoof the parent process without any privileges - this is a very effective way to defeat parent/child based detections.

Process Spoofing

SelectMyParent.exe is a free to tool test this API but any software can use the API

https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/

SelectMyParent.exe

Can sysmon detect it?

No unfortunately…

Cobalt Strike process parent spoof

Parent Process Spoofing and Session Prepping with Cobalt Strike https://www.youtube.com/watch?v=DOe7WTuJ1Ac

Microsoft-Windows-Kernel-Process provider

Windows.ETW.DetectProcessSpoofing

https://docs.velociraptor.app/exchange/artifacts/pages/windows.etw.detectprocessspoofing/

Installing parent spoofing detection in Velociraptor

False positives - UAC elevation

Event Tracing For Windows Bring in the big guns!