FortiGuard IR researchers have highlighted unexpected forensic value in the AutoLogger-Diagtrack-Listener.etl file on modern Windows systems.

Despite low exploitation severity, the artefact has shown the ability to preserve historical process-execution data, including deleted binaries and command-line traces — helpful in ransomware investigations.

What’s your view on ETW-based artefacts in DFIR workflows?

Source: https://www.fortinet.com/blog/threat-research/uncovering-hidden-forensic-evidence-in-windows-mystery-of-autologger

Share your insights and follow us for more clear, unbiased analysis.

#InfoSec #DFIR #ThreatIntel #WindowsForensics #ETW #Telemetry #CyberSecurity #IncidentResponse #SecurityResearch #ThreatAnalysis

No Agent, No Problem: Discovering Remote #EDR

#Windows #ETW

https://jonny-johnson.medium.com/no-agent-no-problem-discovering-remote-edr-8ca60596559f

PerfView and TraceEvent 3.1.18

https://github.com/microsoft/perfview/releases/tag/v3.1.18

#dotnet #perf #etw #lttng #performance

ETW Forensics - Why use Event Tracing for Windows over EventLog? https://blogs.jpcert.or.jp/en/2024/11/etw_forensics.html

#etw #forensics #windows

Три слона, на которых держится логирование в Windows

Продолжаем наш цикл статей о типах и методах работы сборщиков данных с конечных точек, или, как принято их называть – агентов. В первой статье мы познакомились с этой сущностью и изучили основные нюансы сбора данных с их помощью. Так как мы в рамках разработки своих продуктов занимаемся и лог-менеджментом, и сбором событий, то хочется поделиться продолжением нашей обширной аналитики в quickstart формате. Поэтому в этом выпуске подробнее разберем функционал и используемые инструменты источников на ОС Windows.

https://habr.com/ru/companies/securityvison/articles/862352/

#Логирование #сбор_событий #eventlog #журналы_windows #журналы_событий #sysmon #event_tracing_for_windows #event_logging #event_log #etw

My program, which has a JIT compiler in it, is getting killed (or at least it seems like) on azure pipelines. when i turn the JIT off it runs fine. when i use IMAGE_NAME: 'windows-2019' instead of -latest, it runs fine.
Is there some kind of new security feature or exploit mitigation or whatever that was turned on some time between these two images that might be killing my program because the jit needs to be adapted to it?
How the heck do i find out how my program is actually quitting? "exit code 0xff" is not terribly enlightening ...
This is incredibly frustrating to debug, not just because I have to wait ~10 minutes between putting a change in and seeing the result, and the majority of tools windows developers have at their disposal seem to only be usable with a GUI which, surprise surprise, azure pipelines runners don't let you access.

#azurepipelines #msvc #windows #justintimecompilation #ETW #pwsh

Source code for [new ver 2.1.51.590] of ETWPM2Monitor2.1 (blue teaming tool) Published,
in this version some bugs fixed + New Tab called "Alarms by Memory Scanner" added, i did not add events of this new Tab to Windows event logs because of a lot (false positive) so i decided to show events only without adding to WinEventLog called ETWPM2Monitor2 in this update...
this code needs more test but i think its time to publish new ver ;)

ETWPM2Monitor2.1 C# Source code => https://lnkd.in/eFnn2TzQ

#blueteam #soc #threathunting #pentesting #redteam #etw #monitoring #eventlogs #memoryscanner #scanner #inmemory

Sliver-C2 and moving from Beacon Mode to Session Mode ...

AV bypassed, working with some C2 server is really important, like Sliver...
#c2c #blueteam #soc #threathunting #pentesting #redteam #etw #monitoring #eventlogs #memoryscanner #scanner #inmemory

some little bit codes added to my Blue team code to detect some opcodes in injected bytes (especially for this DripLoader or something like this code)
this update version still needs some codes to be better but i working on this hard ;D , just for test some codes in Driploader.cpp was changed by me only for test ;)

i Tested old Loader called "#DripLoader" , and this will bypass ETW events but my blue team tool not fully bypassed and code was detected...
background of this code is really nice and i working on this so maybe you want to see what happened in my test about this as #pentester or #Redteamer this will help you to better understanding ETW or other #eventbased #detections .

as #blueteamer you can see this with this method sometimes your tools will confuse very simple ;p in these pictures you can see startaddress via ETW was not Detected correctly.

Note: it does not mean that sartaddress is fake, i just want to say that startaddress 0x7ffca90... is not about shell code which started with bytes {0xb8 , 0x00 , 0x00 , 0xdd, 0xdd},its about jmp,Mov/BaseAddress/0xdddd0000 & you can find that bytes in C++ source code of driploader:

line 12 of DripLoader.cpp
unsigned char jmpSc[7] {0xB8,b[0],b[1],b[2],b[3],0xFF,0xE0};

worth to read =>
more detail about background of code: https://lnkd.in/ekpHUBsv

this code was added to my list long time ago => https://lnkd.in/eeStM9C

#blueteam #tools #redteam #pentesting #avs #edr #socanalyst #soc
#etw #threadinjection #threathunting #threatdetection