sayzard2d ago

Open-source endpoint detection engine for Windows and Linux

Rustinel은 Windows와 Linux에서 네이티브 호스트 텔레메트리를 수집하고 Sigma, YARA, IOC 룰을 평가하는 오픈소스 엔드포인트 탐지 엔진입니다. Rust로 구현되어 메모리 안전성과 성능을 보장하며, ETW(Windows)와 eBPF(Linux)를 활용해 이벤트를 수집하고 공통 모델로 정규화합니다. 탐지 결과는 SIEM 친화적인 ECS NDJSON 형식으로 출력되며, 악성 프로세스 종료 같은 능동 대응 기능도 지원합니다. 현재 Windows 지원이 더 광범위하며, Linux 지원 확대와 YARA 메모리 스캔 등 기능 추가가 계획되어 있습니다.

https://github.com/Karib0u/rustinel

#endpointdetection #rust #etw #ebpf #sigma

GitHub - Karib0u/rustinel: Rustinel is an open-source endpoint detection runtime for Windows and Linux. It collects native telemetry from ETW and eBPF, normalizes events into Sysmon-style fields, evaluates Sigma, YARA, and IOC detections, and emits ECS-compatible NDJSON alerts.

Rustinel is an open-source endpoint detection runtime for Windows and Linux. It collects native telemetry from ETW and eBPF, normalizes events into Sysmon-style fields, evaluates Sigma, YARA, and I...

GitHub
nschotschi2d ago

A room with a view🏖

Das ist die Aussicht aus des Mannes Kammer. Ein 70er Wohnschachtel-Dings mit Kratzputz. Mitten zwischen Gärten und Gründerzeit-Häuser gepflanzt. Einfach so. Plopp. Wenn man keinen Bock auf Häuser entwerfen hat, kann man doch was anderes machen ... Kammerjäger oder Kampfmittelräumdienst ... wird auch gebraucht und entspricht evtl mehr der persönlichen Neigung.

#Architektur #Schöner_Wohnen #70er #Aussicht #ETW

CyberVeille.chMay 6

📢 Fuzzing récursif des structures MS-RPC avec ETW : escalade de privilèges vers SYSTEM
📝 ## 🔍 Contexte

Article technique publié le 4 mai 2026 par Remco van der Meer sur incendium.rocks, présentant des mises à jour...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-06-fuzzing-recursif-des-structures-ms-rpc-avec-etw-escalade-de-privileges-vers-nt-authority-system/
🌐 source : https://www.incendium.rocks/posts/Fuzzing-MS-RPC-structures-and-monitoring/
#ETW #IOC #Cyberveille

Fuzzing récursif des structures MS-RPC avec ETW : escalade de privilèges vers SYSTEM

🔍 Contexte Article technique publié le 4 mai 2026 par Remco van der Meer sur incendium.rocks, présentant des mises à jour du projet MS-RPC-Fuzzer et les résultats obtenus, notamment la découverte d’une escalade de privilèges vers NT AUTHORITY\SYSTEM. 🛠️ Améliorations du fuzzer MS-RPC Deux fonctionnalités majeures ont été implémentées : Fuzzing récursif des structures complexes : trois fonctions coopérantes (New-FuzzedInstance, Get-FuzzFieldValue, New-NdrEmbeddedPointerValue) permettent de traverser récursivement les structures NDR imbriquées, avec des garde-fous anti-récursion infinie (profondeur max 8, ensemble $Visited). Support des types Union : gestion des unions MS-RPC IDL en sélectionnant aléatoirement un bras (Arm_N) et en synchronisant le discriminant pour éviter l’erreur No matching union selector when marshaling. 📡 Remplacement de Process Monitor par ETW Le fuzzer utilise désormais Event Tracing for Windows (ETW) via P/Invoke sur advapi32.dll et tdh.dll pour surveiller l’activité fichier et registre :

CyberVeille
TechNaduDec 10

FortiGuard IR researchers have highlighted unexpected forensic value in the AutoLogger-Diagtrack-Listener.etl file on modern Windows systems.

Despite low exploitation severity, the artefact has shown the ability to preserve historical process-execution data, including deleted binaries and command-line traces — helpful in ransomware investigations.

What’s your view on ETW-based artefacts in DFIR workflows?

Source: https://www.fortinet.com/blog/threat-research/uncovering-hidden-forensic-evidence-in-windows-mystery-of-autologger

Share your insights and follow us for more clear, unbiased analysis.

#InfoSec #DFIR #ThreatIntel #WindowsForensics #ETW #Telemetry #CyberSecurity #IncidentResponse #SecurityResearch #ThreatAnalysis

Der EmilOct 17, 2025
Hm, im #KüchenRegal war weniger Marmelade zu finden als gedacht; und #Nudelsoße muß ich dringend kaufen. Fünf Kilogramm #ETW (EierTeigWaren) sollten eine Weile reichen.
raptorJun 10, 2025

No Agent, No Problem: Discovering Remote #EDR

#Windows #ETW

https://jonny-johnson.medium.com/no-agent-no-problem-discovering-remote-edr-8ca60596559f

No Agent, No Problem: Discovering Remote EDR - Jonathan Johnson - Medium

As the reader, I’m sure you’re thinking — “oh great, another EDR internals or bypass post”. I can fully understand that sentiment, as EDRs are quite the topic these days. However, this one is…

Medium
Jiří Činčura ↹Dec 12, 2024

PerfView and TraceEvent 3.1.18

https://github.com/microsoft/perfview/releases/tag/v3.1.18

#dotnet #perf #etw #lttng #performance

Release PerfView and TraceEvent 3.1.18 · microsoft/perfview

Roll-up through 2024/12/11. Fixed perfcollect install script on Azure Linux 3. Updated System.Text.Json to address dotnet/announcements#329.

GitHub
Tedi HeriyantoDec 1, 2024

ETW Forensics - Why use Event Tracing for Windows over EventLog? https://blogs.jpcert.or.jp/en/2024/11/etw_forensics.html

#etw #forensics #windows

ETW Forensics - Why use Event Tracing for Windows over EventLog? - - JPCERT/CC Eyes

Many people may think of EventLogs when one mentions Windows OS logs. When investigating incidents such as malware infections, it is common to analyze the Windows OS EventLogs to find traces that may help uncover the incident. However, since the...

JPCERT/CC Eyes
HabrNov 29, 2024

Три слона, на которых держится логирование в Windows

Продолжаем наш цикл статей о типах и методах работы сборщиков данных с конечных точек, или, как принято их называть – агентов. В первой статье мы познакомились с этой сущностью и изучили основные нюансы сбора данных с их помощью. Так как мы в рамках разработки своих продуктов занимаемся и лог-менеджментом, и сбором событий, то хочется поделиться продолжением нашей обширной аналитики в quickstart формате. Поэтому в этом выпуске подробнее разберем функционал и используемые инструменты источников на ОС Windows.

https://habr.com/ru/companies/securityvison/articles/862352/

#Логирование #сбор_событий #eventlog #журналы_windows #журналы_событий #sysmon #event_tracing_for_windows #event_logging #event_log #etw

Три слона, на которых держится логирование в Windows

Анастасия Кузнецова, Security Vision Данное исследование было проведено в рамках проработки агентской истории для целой группы продуктов. Продолжаем наш цикл статей о типах и методах работы сборщиков...

Хабр
Timo the timoSep 12, 2024

My program, which has a JIT compiler in it, is getting killed (or at least it seems like) on azure pipelines. when i turn the JIT off it runs fine. when i use IMAGE_NAME: 'windows-2019' instead of -latest, it runs fine.
Is there some kind of new security feature or exploit mitigation or whatever that was turned on some time between these two images that might be killing my program because the jit needs to be adapted to it?
How the heck do i find out how my program is actually quitting? "exit code 0xff" is not terribly enlightening ...
This is incredibly frustrating to debug, not just because I have to wait ~10 minutes between putting a change in and seeing the result, and the majority of tools windows developers have at their disposal seem to only be usable with a GUI which, surprise surprise, azure pipelines runners don't let you access.

#azurepipelines #msvc #windows #justintimecompilation #ETW #pwsh