| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
Today, defenders consume the Windows Event Log to detect intrusions. While useful, audit logs don,t capture the full range of data needed for detection and response. ETW (Event Tracing for Windows) is an additional source of events that defenders can leverage to make post-breach activity more visible in Windows.
ETW provides a rich set of data, largely intended for debugging scenarios. As a side effect, these traces also have data that is ideal for detecting potentially malicious behavior, such as raw networking data and detailed PowerShell data. Unfortunately, the ETW API is low level and primitive, making it difficult to use at scale reliably. Be- cause our security team in Office 365 supports monitoring over 150,000 machines, we needed a reliable way to consume the events in real-time, while adhering to strict memory and CPU usage constraints. To accomplish this, our team built the open- source krabsetw library to simplify dynamically consuming ETW events. We currently use this library to collect 6.5TB of data per day, from our service.
In this talk, we,ll discuss a few ETW sources we,ve found to be high value as well as the detections they enable. We,ll also demo a few examples of using krabsetw to consume them as well as share some strategies for scaling ETW monitoring.
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast