The specifics of this are beyond the scope of this article, but you can find more information from the TechNet blog post, Hidden Treasure: Intrusion Detection with ETW (Part 2). Right click the Module column header and select “Group” to do this.įor production use, there are several APIs that can be used to consume ETW events in real time. This puts events under their respective provider and lets you collapse them down to consider each provider separately, but still allowing you to search and correlate between providers. If I have a capture with more than one provider, I like to use Message Analyzer’s “Group” functionality to group events by provider. To analyze the data, we can use Microsoft Message Analyzer to help filter down to the interesting events, as well as make use of its parsers to get as much readable information out of the events as we can. This is a great way to discover new providers of interest. In the lab, I use “-pf” to enable a large number of providers, which I create by grepping through the full list for any that sounds relevant to what I’m looking at. You can add keywords and levels after each provider name if you need to, as well. You can also enable multiple providers by creating a file listing, a provider name or GUID – one per line – and passing the filename to logman using “-pf” rather than “-p”. This can be useful when testing to see what appears, but some providers will produce a torrent of data when you do this. If you leave out the keywords and levels, it will default to all keywords and all levels. This will log everything to some_test_log.etl. When you are done, stop with: logman -ets stop some_test_log There are lots of options for how to capture data from ETW, but to do a basic capture to a file starting immediately, you can just do the following: logman -ets start some_test_log -p SomeProvider "keyword1,keyword2" win:Informational This will list the keywords and levels the provider supports, as well as the processes on the system that use the provider. To get details of what a given provider has available you can query it by name or GUID: logman query providers "Microsoft-Windows-RPC" You may not get human-readable names for all of the applications providers though, so mileage may vary.Ī provider will split events up by level (verbose, informational, warning, etc.) and keyword, and when subscribing to a provider you can pass in a combination of levels and keywords that you want to receive. Applications can define their own providers, and you can get a list for a given process by adding the “-pid ” argument to the above command. This will be a long list, but it still isn’t all the providers available. You can get a list of the providers registered with the OS with the following command: logman query providers You can also use Message Analyzer to capture data, but I found it simpler to script up logman (which is command line) on my lab machines to grab the data to analyze later.ĮTW events are obtained through providers, each being identified by a GUID and, in many cases, a human-readable name. For this post we will be using the built-in logman tool to capture data, and will make use of Microsoft Message Analyzer as a convenient way of searching through the results. There are many ways to interact with ETW, including several different Microsoft utilities, as well as custom written code. As we will see later, this means we can sometimes directly correlate logs with ETW events. Since Windows Vista, the Windows Event Log has been built on top of ETW and both log events and ETW events have similar metadata associated with them. This makes it a great telemetry source for attack detection. ETWĮvent Tracing for Windows (ETW) is a kernel-level tracing facility built into Windows that allows a wide range of system activity to be traced in real time. We will use this as an opportunity to explore Event Tracing for Windows (ETW), as well as how RPC calls work in Windows.Īfter a primer on ETW, we’ll look first at two built-in Windows utilities for creating a service, sc.exe and WMI, and then look at the Sysinternals tool PsExec, which uses remote service creation as a way of executing commands on a remote host. In this article, we’ll explore remote service creation as a lateral movement technique, and illustrate how we might spot it on an endpoint. But if they can detect the lateral movement as it is happening it can be much quicker to see how the attacker is moving around, decreasing response times and possibly providing opportunities for quick containment actions. If threat hunters can detect malicious activity on an endpoint they may see similar indicators appearing on new machines when lateral movement has occurred. Lateral movement is when attackers move from a compromised host to other hosts to expand their access and reach their goal.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |