Windows Event Tracing (ETW) is a kernel-level logging mechanism providing visibility into system activity at a level of detail that standard security event logs do not expose. It sits underneath a lot of modern EDR telemetry, which means understanding it helps explain both what you can detect and why certain attacks get missed by products relying only on userland monitoring.<\/p>\n
ETW is a publish-subscribe system built into the Windows kernel. Providers register themselves and emit structured events. Consumers subscribe to providers and receive a real-time stream of event data. The Windows kernel itself is a provider. So is the .NET runtime, PowerShell, WMI, DNS client, network stack, and hundreds of other components.<\/p>\n
Every ETW provider has a GUID. The critical security-relevant ones are:<\/p>\n
\/\/ Key ETW providers for security monitoring\nMicrosoft-Windows-Threat-Intelligence (ETWTI):\n GUID: {F4E1897C-BB5D-5668-F1D8-040F4D8DD344}\n \/\/ Covers: process injection, credential access, AMSI bypass\n \/\/ Requires kernel driver to consume - what commercial EDR uses\n\nMicrosoft-Windows-Kernel-Process:\n GUID: {22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}\n \/\/ Covers: process\/thread\/image load events at kernel level\n\nMicrosoft-Windows-Kernel-Network:\n GUID: {7DD42A49-5329-4832-8DFD-43D979153A88}\n \/\/ Covers: TCP\/UDP operations with owning process, before userland APIs\n\nMicrosoft-Windows-DNS-Client:\n GUID: {1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}\n \/\/ Covers: all DNS queries with process attribution\n\nMicrosoft-Windows-PowerShell:\n GUID: {A0C1853B-5C40-4B15-8766-3CF1C58F985A}\n \/\/ Covers: script block logging, module logging, command history<\/pre>\nStarting a capture session with Logman<\/h3>\n
Logman is the built-in command-line tool for managing ETW trace sessions. Starting a capture of kernel network events:<\/p>\n
\/\/ Start a network trace session\nlogman create trace NetworkCapture -p \"Microsoft-Windows-Kernel-Network\" 0x10 \\\n -o C:\\traces\\net.etl -ets\n\nlogman start NetworkCapture -ets\n\n\/\/ ... capture activity ...\n\nlogman stop NetworkCapture -ets\n\n\/\/ Convert to readable XML format\ntracerpt C:\\traces\\net.etl -o C:\\traces\\net.xml -of XML\n\n\/\/ Or to CSV for easier analysis\ntracerpt C:\\traces\\net.etl -o C:\\traces\\net.csv -of CSV<\/pre>\n\/\/ Capture PowerShell activity (useful for post-incident analysis)\nlogman create trace PSCapture \\\n -p \"Microsoft-Windows-PowerShell\" 0xffffffffffffffff \\\n -o C:\\traces\\ps.etl -ets\n\nlogman start PSCapture -ets\n\/\/ Run the PowerShell activity you want to capture\nlogman stop PSCapture -ets\n\n\/\/ Convert and parse\ntracerpt C:\\traces\\ps.etl -o C:\\traces\\ps.xml -of XML<\/pre>\nConsuming ETWTI for real-time detection<\/h3>\n
The Microsoft-Windows-Threat-Intelligence provider requires a kernel driver to consume because it delivers data through a callback mechanism rather than the standard ETW session model. This is why only EDR products with kernel drivers can monitor it. However, you can write a kernel driver specifically for consuming ETWTI events in your own lab environment.<\/p>\n
\/\/ Verifying ETWTI coverage in your environment\n\/\/ Check whether your EDR has a kernel driver loaded\nGet-WmiObject Win32_SystemDriver | Where-Object {$_.State -eq \"Running\"} |\n Select-Object Name, PathName | Format-List\n\n\/\/ If no kernel driver exists for your security product, ETWTI coverage is absent\n\/\/ That means direct syscall attacks, process hollowing variants, and\n\/\/ some credential access techniques will not generate alerts\n\n\/\/ Test your coverage: run a known-detectable credential access tool\n\/\/ in a test environment and verify whether your EDR fires\n\/\/ Tools like Atomic Red Team have test cases mapped to ATT&CK techniques<\/pre>\nETW tampering detection<\/h3>\n
Because modern EDR relies on ETW, attackers have started researching how to interfere with ETW providers to blind security tools. The most common technique patches the EtwEventWrite function in memory within the current process to prevent events from being written. Sysmon Event ID 25 (ProcessTampering) on Windows 10 21H1 and later catches this.<\/p>\n
\/\/ Sysmon configuration to catch ETW tampering\n\/\/ Event ID 25 fires when a process's loaded module is patched in memory\n\n\/\/ Example Sysmon Event ID 25 entry indicating AMSI\/ETW patch:\n\/\/ EventID: 25\n\/\/ Process: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\/\/ Type: Image is replaced\n\/\/ Hashes: SHA256=...\n\n\/\/ Sigma rule for ETW tampering\ntitle: ETW or AMSI Patching Detected\nlogsource:\n product: windows\n category: process_tampering\ndetection:\n selection:\n EventID: 25\n Image|endswith:\n - '\\powershell.exe'\n - '\\pwsh.exe'\n - '\\cmd.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n condition: selection\nlevel: critical<\/pre>\nBuilding an ETW-based monitoring pipeline<\/h3>\n
For a home lab or small environment without commercial EDR, SilkETW is an open source tool that consumes ETW providers and outputs JSON logs that can be shipped to Elastic or Splunk.<\/p>\n
\/\/ SilkETW setup for PowerShell monitoring\n\/\/ https:\/\/github.com\/mandiant\/SilkETW\n\nSilkETW.exe -t user -pn Microsoft-Windows-PowerShell -ot file -p C:\\logs\\ps_etw.json\n\n\/\/ The output JSON includes full script block content, module names,\n\/\/ command invocations, and timing data - similar to 4104 events\n\/\/ but delivered through ETW rather than the Windows event log\n\n\/\/ Parse with jq for quick analysis\ncat C:\\logs\\ps_etw.json | python3 -c \"\nimport sys, json\nfor line in sys.stdin:\n try:\n evt = json.loads(line)\n if 'ScriptBlockText' in str(evt):\n print(json.dumps(evt, indent=2))\n except:\n pass\n\"<\/pre>\nWhy this matters for threat hunting<\/h3>\n
Most threat hunting guides focus on Windows event logs and Sysmon because those are the most accessible data sources. ETW sits underneath both of them. Understanding it means you can explain to stakeholders why certain attacks do not generate alerts (the EDR has no kernel driver so ETWTI is unavailable), evaluate which EDR products actually provide the coverage they claim, and build custom monitoring for gaps that commercial products leave. It also means you can spot when an attacker is deliberately interfering with your telemetry, which is itself a high-confidence indicator of a sophisticated intrusion.<\/p>\n","protected":false},"excerpt":{"rendered":"
ETW sits underneath all modern EDR telemetry. This covers how event tracing works, how to capture sessions with Logman, which providers matter for security monitoring, and how attackers try to tamper with ETW to blind your tools.<\/p>\n","protected":false},"author":1,"featured_media":98,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-56","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-dfir"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/56","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=56"}],"version-history":[{"count":9,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/56\/revisions"}],"predecessor-version":[{"id":342,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/56\/revisions\/342"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media\/98"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=56"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=56"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}