This is a repository that contains a bunch of resources to learn and understand ETW (Event Tracing for Windows)
Blogs / Research (https://nasbench.medium.com/)
The following are a list of tools that can let us interact with the different ETW providers available. The examples directory contains example scripts and commands on how to use these tools
The following are blogs and articles published by the wider security community discussing various aspects of ETW
- Event Tracing: Improve Debugging And Performance Tuning With ETW by Microsoft
- About Event Tracing by Microsoft
- Part 1 - ETW Introduction and Overview by Microsoft
- Part 2 - Exploring and Decoding ETW Providers using Event Log Channels by Microsoft
- Part 3 - ETW Methods of Tracing by Microsoft
- ETW: Event Tracing for Windows 101
- ETW: Event Tracing for Windows, Part 1: Intro by Mozilla
- ETW: Event Tracing for Windows, part 2: field reporting by Mozilla
- ETW: Event Tracing for Windows, part 3: architecture by Mozilla
- ETW: Event Tracing for Windows, part 4: collection by Mozilla
- ETW Security by Geoff Chappell
- Writing an Instrumentation Manifest
- Tampering with Windows Event Tracing: Background, Offense, and Defense by Palantir
- Introduction to Threat Intelligence ETW
- Detecting process injection with ETW
- Experimenting with Protected Processes and Threat-Intelligence
- Bypassing the Microsoft-Windows-Threat-Intelligence Kernel APC Injection Sensor
- Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
- Detecting Parent PID Spoofing
- T208 Hidden Treasure Detecting Intrusions with ETW Zac Brown - Derbycon 7
- T208 Hidden Treasure Detecting Intrusions with ETW Zac Brown - GrrCON 2017
- RECON 2019 - Using WPP and TraceLogging Tracing (Matt Graeber)
- S25 Tracing Adversaries Detecting Attacks with ETW Matt Hastings Dave Hull - Derbycon 7
- The Good, the Bad and the ETW (Grzegorz Tworek)