A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Hidden Treasure: Detecting Intrusions with ETW - Zac Brown GrrCON 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

Hidden Treasure: Detecting Intrusions with ETW
Zac Brown
GrrCON 2017

Today, defenders consume the Windows Event Log to detect intrusions. While useful, audit logs don,t capture the full range of data needed for detection and response. ETW (Event Tracing for Windows) is an additional source of events that defenders can leverage to make post-breach activity more visible in Windows. ETW provides a rich set of data, largely intended for debugging scenarios. As a side effect, these traces also have data that is ideal for detecting potentially malicious behavior, such as raw networking data and detailed PowerShell data. Unfortunately, the ETW API is low level and primitive, making it difficult to use at scale reliably. Be- cause our security team in Office 365 supports monitoring over 150,000 machines, we needed a reliable way to consume the events in real-time, while adhering to strict memory and CPU usage constraints. To accomplish this, our team built the open- source krabsetw library to simplify dynamically consuming ETW events. We currently use this library to collect 6.5TB of data per day, from our service. In this talk, we,ll discuss a few ETW sources we,ve found to be high value as well as the detections they enable. We,ll also demo a few examples of using krabsetw to consume them as well as share some strategies for scaling ETW monitoring.

Back to GrrCON 2017 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast