This is a repository that contains a bunch of resources to learn and understand EVTX/ETW (Event Tracing for Windows)
- ETW Providers Manifests - List of ETW XML manifests from different versions of Windows.
- Examples - Example scripts to collect ETW events using different libraries.
- ETW Events List - List of all ETW events extracted from the currently dumped ETW providers.
Blogs / Research (https://nasbench.medium.com/)
- A Primer On Event Tracing For Windows (ETW)
- Finding Detection and Forensic Goodness In ETW Providers
- Windows 11 “New” ETW Providers — Overview
The following is a list of tools that can let us interact with the different ETW providers available. The examples directory contains example scripts and commands on how to use these tools
The following are blogs and articles published by the wider security community discussing various aspects of ETW
- Event Tracing: Improve Debugging And Performance Tuning With ETW by Microsoft
- About Event Tracing by Microsoft
- Part 1 - ETW Introduction and Overview by Microsoft
- Part 2 - Exploring and Decoding ETW Providers using Event Log Channels by Microsoft
- Part 3 - ETW Methods of Tracing by Microsoft
- ETW: Event Tracing for Windows 101
- ETW: Event Tracing for Windows, Part 1: Intro by Mozilla
- ETW: Event Tracing for Windows, part 2: field reporting by Mozilla
- ETW: Event Tracing for Windows, part 3: architecture by Mozilla
- ETW: Event Tracing for Windows, part 4: collection by Mozilla
- ETW Security by Geoff Chappell
- Writing an Instrumentation Manifest
- Tampering with Windows Event Tracing: Background, Offense, and Defense by Palantir
- Introduction to Threat Intelligence ETW
- Detecting process injection with ETW
- Experimenting with Protected Processes and Threat-Intelligence
- Bypassing the Microsoft-Windows-Threat-Intelligence Kernel APC Injection Sensor
- Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
- Detecting Parent PID Spoofing
- Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors
- T208 Hidden Treasure Detecting Intrusions with ETW Zac Brown - Derbycon 7
- T208 Hidden Treasure Detecting Intrusions with ETW Zac Brown - GrrCON 2017
- RECON 2019 - Using WPP and TraceLogging Tracing (Matt Graeber)
- S25 Tracing Adversaries Detecting Attacks with ETW Matt Hastings Dave Hull - Derbycon 7
- The Good, the Bad and the ETW (Grzegorz Tworek)
If you want to contribute to this project simply follow these steps:
- Download the latest version of WEPExplorer
- Download the latest version of Auto Keyboard Presser
- Follow the steps in the GIF below
- Fork the repo and upload your files
- Make a PR and receive our eternal thanks