This is a repository that contains a bunch of resources to learn and understand EVTX/ETW (Event Tracing for Windows)
Here's what you can expect from each of the main subfolders within this repo. Please take a minute to educate yourself!
ETW Providers Manifests will contain raw XMLs for each Event Log Provider for each respective version of Windows. At minimum, there should be 800 of these for each system. An example can be seen below:
ETW Providers CSVs will contain a CSV for each Provider and all the possible event IDs, event messages, etc contained within that Provider. An example can be seen below:
Within the ETWProvidersCSVs subfolder, there are two other subfolders that separate Windows-native and Third-Party Event Log Providers.
Any Event Log Provider that exists upon a clean install of Windows will be included here.
Any Event Log Provider that doesn't ship with Windows will be included here. Some examples can include, but are not limited to: Third-Party Antivirus, Sysmon, Microsoft Office (technically doesn't ship with Windows), or Remote Admin Tools like Splashtop.
ETW Events List will provide a CSV for each respective version of Windows that contains ALL of the possible event IDs, event messages, etc for that version of Windows. This is offered in a combined CSV for ALL Providers as well as each Provider separated out into their own CSV for that specific version of Windows. An example can be seen below:
Examples will contain example scripts to collect ETW events using different libraries.
Blogs / Research (https://nasbench.medium.com/)
- A Primer On Event Tracing For Windows (ETW)
- Finding Detection and Forensic Goodness In ETW Providers
- Windows 11 “New” ETW Providers — Overview
The following is a list of tools that can let us interact with the different ETW providers available. The examples directory contains example scripts and commands on how to use these tools
The following are blogs and articles published by the wider security community discussing various aspects of ETW
- Event Tracing: Improve Debugging And Performance Tuning With ETW by Microsoft
- About Event Tracing by Microsoft
- Part 1 - ETW Introduction and Overview by Microsoft
- Part 2 - Exploring and Decoding ETW Providers using Event Log Channels by Microsoft
- Part 3 - ETW Methods of Tracing by Microsoft
- ETW: Event Tracing for Windows 101
- ETW: Event Tracing for Windows, Part 1: Intro by Mozilla
- ETW: Event Tracing for Windows, part 2: field reporting by Mozilla
- ETW: Event Tracing for Windows, part 3: architecture by Mozilla
- ETW: Event Tracing for Windows, part 4: collection by Mozilla
- ETW Security by Geoff Chappell
- Writing an Instrumentation Manifest
- Tampering with Windows Event Tracing: Background, Offense, and Defense by Palantir
- Introduction to Threat Intelligence ETW
- Detecting process injection with ETW
- Experimenting with Protected Processes and Threat-Intelligence
- Bypassing the Microsoft-Windows-Threat-Intelligence Kernel APC Injection Sensor
- Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
- Detecting Parent PID Spoofing
- Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors
- T208 Hidden Treasure Detecting Intrusions with ETW Zac Brown - Derbycon 7
- T208 Hidden Treasure Detecting Intrusions with ETW Zac Brown - GrrCON 2017
- RECON 2019 - Using WPP and TraceLogging Tracing (Matt Graeber)
- S25 Tracing Adversaries Detecting Attacks with ETW Matt Hastings Dave Hull - Derbycon 7
- The Good, the Bad and the ETW (Grzegorz Tworek)
If you want to contribute to this project simply follow these steps:
- Download the latest version of WEPExplorer
- Download the latest version of Auto Keyboard Presser
- Follow the steps in the GIF below
- Fork the repo and upload your files
- Make a PR and receive our eternal thanks