They will typically be related to WPP or TraceLogging, both of which are beyond the scope of this blog post.
UNINSTALL OSQUERY WINDOWS
For example, the following listing shows all providers relevant to MsMpEng.exe (the Windows Defender service, running as pid 5244 in this example):Įntries listed with GUID are providers lacking a manifest. Viewing all providers that a specific process is sending events toĪnother method for discovering potentially interesting providers is to view all providers to which events are written from a specific process. For example, Windows Defender Advanced Threat Protection relies heavily upon ETW as a supplemental detection data source. Not all ETW providers are designed to be ingested into the event log rather, many ETW providers are intended to be used solely for low-level tracing, debugging, and more recently-developed security telemetry purposes.
Notably, the PowerShell provider appears to support logging to the event log based on the existence of the reserved keywords in the high nibble of the defined keywords. It is also useful for initial discovery of potentially interesting information that could be gathered from via an ETW trace. This output is useful for understanding how existing trace sessions filter on providers. The listings shows supported keywords and logging values, as well as all processes that are registered to emit events via this provider. For example, the Microsoft-Windows-PowerShell provider has the following registry values: List all running trace sessions > logman query -ets Data Collector Set Type Status - Circular Kernel Context Logger Trace Running AppModel Trace Running ScreenOnPowerStudyTraceSession Trace Running DiagLog Trace Running EventLog-Application Trace Running EventLog-System Trace Running LwtNetLog Trace Running NtfsLog Trace Running TileStore Trace Running UBPM Trace Running WdiContextLog Trace Running WiFiSession Trace Running UserNotPresentTraceSession Trace Running Diagtrack-Listener Trace Running MSDTC_TRACE_SESSION Trace Running WindowsUpdate_trace_log Trace Running List all providers that a trace session is subscribed to > logman query "EventLog-Application" -ets Name: EventLog-Application Status: Running Root Path: %systemdrive%\PerfLogs\Admin Segment: Off Schedules: On Segment Max Size: 100 MB Name: EventLog-Application\EventLog-Application Type: Trace Append: Off Circular: Off Overwrite: Off Buffer Size: 64 Buffers Lost: 0 Buffers Written: 242 Buffer Flush Timer: 1 Clock Type: System File Mode: Real-time Provider: Name: Microsoft-Windows-SenseIR Provider Guid: registry key. Here are some useful commands for exploring existing trace sessions and their respective ETW providers note that these must usually be executed from an elevated context. Sessions are created and configured by controllers like the built-in logman.exe command line utility. Tracing sessions are responsible for collecting events from providers and for relaying them to log files and consumers. The ETW architecture differentiates between event providers, event consumers, and event tracing sessions.
The goal of this blog post is to share our knowledge with the community by covering ETW background and basics, stealthy event log tampering techniques, and detection strategies.
We continually evaluate our assumptions regarding the integrity of our event data sources, document our blind spots, and adjust our implementation. The Windows event log is the data source for many of the Palantir Critical Incident Response Team’s Alerting and Detection Strategies, so familiarity with event log tampering tradecraft is foundational to our success. Though the act of clearing an event log itself generates an event, attackers who know ETW well may take advantage of tampering opportunities to cease the flow of logging temporarily or even permanently, without generating any event log entries in the process. Attackers often clear event logs to cover their tracks. Event Tracing for Windows (ETW) is the mechanism Windows uses to trace and log system events.
0 kommentar(er)
