I created this undertaking to assist non-developers dive into researching Occasion Tracing for Home windows (ETW) and Home windows PreProcessor Tracing (WPP).
- Subscribe to a number of ETW and WPP Suppliers without delay
- Routinely parse occasions into JSON while not having to know format
- Sturdy Occasion filtering together with filter chaining and filter negation
- Output to Normal out, File, or Home windows Occasion Log (to be ingested by different instruments)
- Get occasion stack traces
- Configurable Buffering many occasions in a time interval into one with a rely, to cut back the variety of occasions generated
Sealighter leverages the feature-rich Krabs ETW Library to allow detailed filtering and triage of ETW and WPP Suppliers and Occasions.
You may subscribe and filter a number of suppliers, together with Consumer mode Suppliers, Kernel Tracing, and WPP Tracing, and output occasions as JSON to both stdout, a file, or the Home windows Occasion Log (helpful for high-volume traces like FileIO). No data of the occasions the supplier might produce, or their format, is critical, Sealighter mechanically captures and parses any occasions it’s requested.
Occasions can then be parsed from JSON in Python, PowerShell, or forwarded to Splunk or ELK for additional looking.
Filtering may be carried out on varied elements of an Occasion, from its ID or Opcode, to matching a property worth, to doing an arbitrary string search throughout the whole occasion (Helpful in WPP traces or when you do not know the occasion construction, however have an concept of its contents). You may also chain a number of filters collectively, or negate the filter. You may also filter the utmost occasions per ID, helpful to research a brand new supplier with out being flooded by related occasions.
ETW is an extremely helpful system for each Purple and Blue groups. Purple groups might glean perception into the interior workings of Home windows elements, and Blue groups may get invaluable perception into suspicious exercise.
A typical analysis loop could be:
- Determine fascinating ETW Suppliers utilizing
logman question suppliersor In search of WPP Traces in Binaries - Begin a Session with the fascinating suppliers allow, and seize occasions while doing one thing ‘fascinating’
- Look over the outcomes, utilizing a number of of:
- Eyeballing every occasion/grepping for phrases you count on to see
- Run a script in Python or PowerShell to assist filter or discover fascinating captured occasions
- Ingesting the info into Splunk or an ELK stack for some superior UI-driven looking
Doing this with ETW Occasions may be troublesome, with out writing code to work together with and parse occasions from the obtuse ETW API. Should you’re not a robust programmer (or do not need to take care of the API), your solely different choices are to make use of a mix of older inbuilt home windows instruments to put in writing to disk as binary etl recordsdata, then coping with these. WPP traces compounds the problems, offering nearly no easy-to-find knowledge about supplier and their occasions.
Initiatives like JDU2600’s Occasion Checklist and ETWExplorer and provides some static perception, however Suppliers usually comprise obfuscated occasion names like Occasion(1001), that means probably the most fascinating knowledge solely turns into seen by dynamically operating a hint and observing the output.
In a approach, this performs in an analogous area as FuzzySec’s SilkETW. However Whereas Silk is extra production-ready for defenders, that is designed for researchers like myself, and as such comprises plenty of options that I could not get with Silk, largely as a result of completely different Library they used to energy the software. Please see Right here for extra data.
In all probability somebody who understands the essential of ETW, and actually needs to dive into discovering what knowledge you’ll be able to glean from it, with out having to put in writing code or manually determine learn how to get and parse occasions.
Please learn the next pages:
Set up – The way to begin operating Sealighter, together with a easy config, and learn how to arrange Home windows Occasion logging if required.
Configuration – The way to configure Sealighter, together with learn how to specify what Suppliers to Log, and the place to log to.
Filtering – Deep dive into all of the forms of filtering Sealighter gives.
Buffering – The way to use buffering to report many related occasions as one
Parsing Knowledge – The way to get and parse knowledge from Sealighter.
Eventualities – Walkthrough instance situations of how I’ve used Sealighter in my analysis.
Limitations – Issues Sealighter does not do nicely or in any respect.
The identify is a contraction of Seafood Highlighter, which is what we name pretend crab meat in Oz. Because it’s constructed on Krabs ETW, I believed the identify was humorous.
Be at liberty to boost a problem, though as I state within the comparability docs I am solely a single individual, and this can be a research-ready software, not a production-ready.
