![]() You can also use Message Analyzer to capture data, but I found it simpler to script up logman (which is command line) on my lab machines to grab the data to analyze later.ĮTW events are obtained through providers, each being identified by a GUID and, in many cases, a human-readable name. For this post we will be using the built-in logman tool to capture data, and will make use of Microsoft Message Analyzer as a convenient way of searching through the results. There are many ways to interact with ETW, including several different Microsoft utilities, as well as custom written code. As we will see later, this means we can sometimes directly correlate logs with ETW events. Since Windows Vista, the Windows Event Log has been built on top of ETW and both log events and ETW events have similar metadata associated with them. This makes it a great telemetry source for attack detection. ![]() ![]() ETWĮvent Tracing for Windows (ETW) is a kernel-level tracing facility built into Windows that allows a wide range of system activity to be traced in real time. ![]() We will use this as an opportunity to explore Event Tracing for Windows (ETW), as well as how RPC calls work in Windows.Īfter a primer on ETW, we’ll look first at two built-in Windows utilities for creating a service, sc.exe and WMI, and then look at the Sysinternals tool PsExec, which uses remote service creation as a way of executing commands on a remote host. In this article, we’ll explore remote service creation as a lateral movement technique, and illustrate how we might spot it on an endpoint. But if they can detect the lateral movement as it is happening it can be much quicker to see how the attacker is moving around, decreasing response times and possibly providing opportunities for quick containment actions. If threat hunters can detect malicious activity on an endpoint they may see similar indicators appearing on new machines when lateral movement has occurred. Lateral movement is when attackers move from a compromised host to other hosts to expand their access and reach their goal. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |