Cheat Sheet - ETW Providers

• Microsoft-Windows-Kernel-Process: This ETW provider is essential for monitoring process-related activities within the Windows kernel. It helps detect suspicious behaviors such as process injection, process hollowing, and other techniques commonly used by malware and advanced persistent threats (APTs)

• Microsoft-Windows-Kernel-File: As the name suggests, this provider focuses on file-related operations. It can be used to detect unauthorized file access, modifications to critical system files, or suspicious file activities indicative of data exfiltration or ransomware attacks.

• Microsoft-Windows-Kernel-Network: This ETW provider offers visibility into network activity at the kernel level. It is particularly useful for identifying network-based threats such as data exfiltration, unauthorized connections, and potential command and control (C2) communications.

• Microsoft-Windows-SMBClient / SMBServer: These providers monitor Server Message Block (SMB) client and server activities, offering insights into file sharing and network communications. They can help detect unusual SMB traffic patterns, potentially indicating lateral movement or data exfiltration.

• Microsoft-Windows-DotNETRuntime: This provider focuses on .NET runtime events, making it valuable for identifying anomalies in .NET application execution, potential exploitation of .NET vulnerabilities, or malicious .NET assembly loading.

• OpenSSH: Monitoring the OpenSSH ETW provider provides critical insights into Secure Shell (SSH) connection attempts, successful and failed authentications, and potential brute force attacks.

• Microsoft-Windows-VPN-Client: This provider tracks Virtual Private Network (VPN) client events and can help identify unauthorized or suspicious VPN connections.

• Microsoft-Windows-PowerShell: This ETW provider monitors PowerShell execution and command activity, making it crucial for detecting suspicious PowerShell usage, script block logging, and potential misuse or exploitation.

• Microsoft-Windows-Kernel-Registry: This provider tracks registry operations, making it useful for detecting changes in registry keys often linked to persistence mechanisms, malware installation, or system configuration modifications.

• Microsoft-Windows-CodeIntegrity: This provider monitors code and driver integrity checks, helping to detect attempts to load unsigned or malicious drivers or code.

• Microsoft-Antimalware-Service: This ETW provider can detect issues related to the antimalware service, such as disabled protections, configuration changes, or evasion techniques used by malware.

• WinRM (Windows Remote Management): Monitoring this provider can reveal unauthorized or suspicious remote management activities, often indicative of lateral movement or remote command execution.

• Microsoft-Windows-TerminalServices-LocalSessionManager: This provider tracks local Terminal Services sessions, making it useful for detecting unauthorized or suspicious remote desktop activity.

• Microsoft-Windows-Security-Mitigations: This provider monitors security mitigations in place and is essential for detecting potential bypass attempts of security controls.

• Microsoft-Windows-DNS-Client: This ETW provider provides visibility into DNS client activity, which is crucial for detecting DNS-based attacks, including DNS tunneling or unusual DNS requests that may indicate C2 communication.

• Microsoft-Antimalware-Protection: This provider monitors antimalware protection mechanisms, helping detect issues such as disabled security features, configuration changes, or evasion techniques used by malicious actors.

Restricted Providers

Microsoft-Windows-Threat-Intelligence -> Need the process to be with Protected Process Light (PPL) priviledge

Examples

Query one provider

logman.exe query providers Microsoft-Windows-Winlogon

Logman query providers we can generate a list of all available providers on the system, including their respective GUIDs. :

logman.exe query providers

Filter the providers

logman.exe query providers | findstr "Winlogon"

Monitor Microsoft-Windows-Kernel-Process and write the output in a file

SilkETW.exe -t user -pn Microsoft-Windows-Kernel-Process -ot file -p C:\windows\temp\etw.json

Detecting Malicious .NET Assembly Loading

SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -ot file -p C:\windows\temp\etw.json

-uk 0x2038 = subset which includes: JitKeyword, InteropKeyword, LoaderKeyword, and NGenKeyword The JitKeyword relates to the Just-In-Time (JIT) compilation events, providing information on the methods being compiled at runtime. This could be particularly useful for understanding the execution flow of the .NET assembly.

• The InteropKeyword refers to Interoperability events, which come into play when managed code interacts with unmanaged code. These events could provide insights into potential interactions with native APIs or other unmanaged components.
• LoaderKeyword events provide details on the assembly loading process within the .NET runtime, which can be vital for understanding what .NET assemblies are being loaded and potentially executed.
• Lastly, the NGenKeyword corresponds to Native Image Generator (NGen) events, which are concerned with the creation and usage of precompiled .NET assemblies. Monitoring these could help detect scenarios where attackers use precompiled .NET assemblies to evade JIT-related detections.