Make ETW Great Again.
Ben Lelonek Nate Rogers
Make ETW Great Again. Exploring some of the many uses of Event - - PowerPoint PPT Presentation
Make ETW Great Again. Exploring some of the many uses of Event Tracing for Windows (ETW) Ben Lelonek Nate Rogers CyberPoint is a cyber security company. Were in the business of protecEng whats invaluable to you. Who We Are
Ben Lelonek Nate Rogers
– @Conjectural_Hex
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Source: h*ps://msdn.microso3.com/en-us/windows/hardware/commercialize/test/weg/weg-performance
Make ETW Great Again – Ruxcon 2016
3 3 431 656 956 1052 200 400 600 800 1000 1200 Windows 2000 Windows XP Windows Vista Windows 7 Windows 8.1 Windows 10
Providers by Windows Version
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
– process, .NET/CLR, Kernel, IO, Files, Memory, UAC, Logins, Crypto, Firewall, SMB, TCPIP, MANY more…
– Similar to our technique (next slide) – Uses driver
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
– OpcodeNames: “Read”, “Write” – Opcode Values: 0x67, 0x68
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
– USB key logging discussed but no tools exist
– ETW provides RAW USB data
– Microsol-Windows-USB-UCX - {36DA592D-E43A-4E28-AF6F-4BC57C5A11E8} – Microsol-Windows-USB-USBPORT - {C88A4EF5-D048-4013-9408-E04B7DB2814A}
– ETW is INTENDED func6onality (debugging) – New Technique. No AV coverage… yet – Can capture keystrokes when computer is locked!
– Real 6me ETW captures can have delays – Requires admin
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Source: h*ps://msdn.microso3.com/en-us/library/windows/hardware/dn741264(v=vs.85).aspx
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
– UCX_URB_BULK_OR_INTERRUPT_TRANSFER
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
– Microsol-Windows-USB-UCX (USB 3) – Microsol-Windows-USB-USBPORT (USB 2) – Poten6al False Posi6ves?
– No baseline of “trusted sessions”
– Everything but Real-6me sessions – Stops previous session. Not restarted
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Out of 15 tested Applica6ons: 4 Full Leaks 9 ParCal Leaks 2 No Leaks
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
Make ETW Great Again – Ruxcon 2016
MSDN Event Tracing
USB Device Class Defini6on for Human Interface Devices (HID)
USB traces with Microsol Message Analyzer
Viewing/capturing USB data
USB/URB
Ransomware samples
Xperf Basics: Recording a Trace (the easy way)
SSL Side Jacking