Windows Event Tracing Enhances Incident Investigation Capabilities
/ 4 min read
Quick take - The article discusses the importance of EventLogs and Event Tracing for Windows (ETW) in incident investigations on Windows operating systems, highlighting ETW’s role in detecting suspicious activities, its architecture, and the potential for enhanced monitoring and analysis through various tools and recovery methods.
Fast Facts
- EventLogs are essential for incident investigations in Windows OS but may lack sufficient detail for detecting suspicious activities; enabling audit logs or using Sysmon is recommended for enhancement.
- Event Tracing for Windows (ETW) is a key feature that manages events from the kernel and processes, providing more comprehensive data than standard EventLogs and integrating with EDR and antivirus solutions.
- ETW architecture includes providers (event generators), consumers (event receivers), sessions (event relays), and controllers (session managers), with over 1,000 registered providers available for investigations.
- ETW events can be processed in real-time or saved as ETL files, but parsing them can be complex due to varied headers and the lack of standardized signatures; tools like tracerpt can convert ETL files for analysis.
- Recovered ETW events, including network-related data from sessions like LwtNetLog, can be crucial for uncovering communication patterns in incident investigations, highlighting ETW’s potential for system monitoring and incident response.
Understanding Event Logs and ETW in Windows OS
EventLogs are a crucial element in incident investigations, especially within Windows operating systems, where they are frequently linked to malware infections. However, these logs may not always offer sufficient information for detecting suspicious activities. To improve investigatory capabilities, enabling audit logs or installing Sysmon is advised.
The Role of Event Tracing for Windows (ETW)
Another significant feature in Windows OS is Event Tracing for Windows (ETW), which plays a vital role in identifying suspicious activity. ETW is designed to manage events generated by the kernel and various processes, serving both debugging and monitoring functions. It collects and organizes EventLogs and has been effectively integrated into the detection protocols of Endpoint Detection and Response (EDR) products and antivirus software.
By default, ETW is capable of logging a variety of operating system behaviors, offering more comprehensive data than standard EventLogs. The architecture of ETW comprises several elements: providers, consumers, sessions, and controllers.
- Providers are applications and drivers that generate events.
- Consumers are applications that receive events.
- Sessions relay events, and controllers manage these sessions.
There are over 1,000 registered ETW providers in Windows OS that can be utilized during incident investigations. Key ETW providers beneficial for detecting suspicious behaviors include:
- Microsoft-Windows-Threat-Intelligence: Detects process injection behaviors.
- Microsoft-Windows-DNS-Client: Related to name resolution events.
- Microsoft-Antimalware-AMFilter: Provides results from Microsoft Defender virus scans.
- Microsoft-Windows-Shell-Core: Related to process execution and termination events.
- Microsoft-Windows-Kernel-Process: Focuses on process events.
- Microsoft-Windows-Kernel-File: Concerns file operations.
Processing and Analyzing ETW Events
ETW events can be processed in two primary ways: either by saving them as ETL files or by receiving them in real-time from a buffer. The format of ETW events begins with a _WMI_BUFFER_HEADER, followed by additional headers specific to the event type. However, parsing ETW events can be complex due to the absence of standardized signatures and the variety of header types involved.
For those looking to analyze ETW data, ETL files can be converted into EVTX or CSV formats using the tracerpt command, which is included with Windows OS. Accessing ETW configuration information can be achieved through tools like Performance Monitor, logman commands, and registry information. While some ETW structures can be traced for insights about providers and consumers, accessing certain information may necessitate kernel mode access.
Importantly, ETW events are usually read from a buffer in real-time and are not saved as files unless specifically configured to do so. Even if ETL files are deleted, it is often possible to recover ETW events from the buffer. The structure of ETW events remains largely undocumented, complicating recovery methods.
However, a recovery tool for ETW events from memory images has been developed as a plugin for the Volatility Framework. This tool enables the retrieval of these events and the associated ETW providers and consumers. Recovered ETW events can be invaluable in incident investigations, helping to uncover communication patterns and other relevant data.
For instance, the LwtNetLog ETW session collects network-related information, which includes communication packets and DNS access. Additionally, EDR or antivirus solutions may also have the capability to recover ETW events from various providers, yielding potential insights for threat analysis.
Overall, ETW’s functionalities can be leveraged for system monitoring and incident response, suggesting opportunities for developing simplified EDR solutions based on ETW capabilities.
Original Source: Read the Full Article Here
