Event Tracing for Windows (ETW) is a part of Windows that provides an incredible wealth of logging that provides amazing insight in what is running on a machine and how. It has become the backbone of numerous security detection and monitoring tools, and has even helped bug hunters understand how systems and programs interact.
However, to accessing and viewing ETW logs is a non-trivial task, requiring a solid understanding of both programming and Windows APIs in order to be able to receive and parse events.
I wanted to make a tool for researchers without the time or skill to write their own programs, but would still provide the ability to automatically filter and parse events from any ETW Provider, including MOF and WPP Traces, turning them into JSON or Event Logs to be read by humans, consumed by higher-level scripts, or forwarded to SIEMs for further analysis.
There are a few other tools that provide similar functionality, notably SilkETW but for reasons I go into here[1] they didn't meet a number of needs I needed when conducting my own research, namely performance, event parsing accuracy, and the ability to get stack traces to determine where in a binary an event was logged.
1 comment
[ 4.0 ms ] story [ 16.0 ms ] threadEvent Tracing for Windows (ETW) is a part of Windows that provides an incredible wealth of logging that provides amazing insight in what is running on a machine and how. It has become the backbone of numerous security detection and monitoring tools, and has even helped bug hunters understand how systems and programs interact.
However, to accessing and viewing ETW logs is a non-trivial task, requiring a solid understanding of both programming and Windows APIs in order to be able to receive and parse events.
I wanted to make a tool for researchers without the time or skill to write their own programs, but would still provide the ability to automatically filter and parse events from any ETW Provider, including MOF and WPP Traces, turning them into JSON or Event Logs to be read by humans, consumed by higher-level scripts, or forwarded to SIEMs for further analysis.
There are a few other tools that provide similar functionality, notably SilkETW but for reasons I go into here[1] they didn't meet a number of needs I needed when conducting my own research, namely performance, event parsing accuracy, and the ability to get stack traces to determine where in a binary an event was logged.
[1] https://github.com/pathtofile/Sealighter/blob/main/docs/COMP...