EVTX/ETW Resources

This is a repository that contains a bunch of resources to learn and understand EVTX/ETW (Event Tracing for Windows)

Content

• EVTX/ETW Resources
  • Content
  • Structure
  • Blogs / Research (https://nasbench.medium.com/)
  • Tools
    • Interacting w/ ETW
    • Dumping ETW Providers Manifest
    • Scripting w/ ETW (Detection, Digital Forensics)
  • Online Resources
    • Architecture
    • Research
    • Talks
    • Books
    • Other Github Projects w/ ETW Content
  • Contributing

Structure

• ETW Providers Manifests - List of ETW XML manifests from different versions of Windows.
• Examples - Example scripts to collect ETW events using different libraries.
• ETW Events List - List of all ETW events extracted from the currently dumped ETW providers.
• ETW Providers CSVs - List containing CSVs for each ETW provider available. Where each CSV have all the available events for that specific provider across all versions of windows.

Blogs / Research (https://nasbench.medium.com/)

• A Primer On Event Tracing For Windows (ETW)
• Finding Detection and Forensic Goodness In ETW Providers
• Windows 11 “New” ETW Providers — Overview

Tools

The following is a list of tools that can let us interact with the different ETW providers available. The examples directory contains example scripts and commands on how to use these tools

Interacting w/ ETW

• Logman
• Microsoft.Diagnostics.Tracing.TraceEvent
• Message Analyzer

Dumping ETW Providers Manifest

• ETW Explorer
• WEPExplorer
• PerfView

Scripting w/ ETW (Detection, Digital Forensics)

• PSalander
• Sealighter
• PyWintrace
• SilkETW
• KrabsETW

Online Resources

The following are blogs and articles published by the wider security community discussing various aspects of ETW

Architecture

• Event Tracing: Improve Debugging And Performance Tuning With ETW by Microsoft
• About Event Tracing by Microsoft
• Part 1 - ETW Introduction and Overview by Microsoft
• Part 2 - Exploring and Decoding ETW Providers using Event Log Channels by Microsoft
• Part 3 - ETW Methods of Tracing by Microsoft
• ETW: Event Tracing for Windows 101
• ETW: Event Tracing for Windows, Part 1: Intro by Mozilla
• ETW: Event Tracing for Windows, part 2: field reporting by Mozilla
• ETW: Event Tracing for Windows, part 3: architecture by Mozilla
• ETW: Event Tracing for Windows, part 4: collection by Mozilla
• ETW Security by Geoff Chappell
• Writing an Instrumentation Manifest

Research

• Tampering with Windows Event Tracing: Background, Offense, and Defense by Palantir
• Introduction to Threat Intelligence ETW
• Detecting process injection with ETW
• Experimenting with Protected Processes and Threat-Intelligence
• Bypassing the Microsoft-Windows-Threat-Intelligence Kernel APC Injection Sensor
• Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
• Detecting Parent PID Spoofing
• Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors

Talks

• T208 Hidden Treasure Detecting Intrusions with ETW Zac Brown - Derbycon 7
• T208 Hidden Treasure Detecting Intrusions with ETW Zac Brown - GrrCON 2017
• RECON 2019 - Using WPP and TraceLogging Tracing (Matt Graeber)
• S25 Tracing Adversaries Detecting Attacks with ETW Matt Hastings Dave Hull - Derbycon 7
• The Good, the Bad and the ETW (Grzegorz Tworek)

Books

• Windows Internals, Part 2, 7th Edition
• Windows 10 System Programming, Part 2

Other Github Projects w/ ETW Content

• OSSEM Data Dictionaries by OTRF
• ETW Providers Docs by repnz
• Windows 10 ETW Events by jdu2600

Contributing

If you want to contribute to this project simply follow these steps:

1. Download the latest version of WEPExplorer
2. Download the latest version of Auto Keyboard Presser
3. Follow the steps in the GIF below

4. Fork the repo and upload your files
5. Make a PR and receive our eternal thanks