Uncovering Windows Events

Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider.

This article provides an overview of the Threat-Intelligence ETW provider, a manifest-based ETW provider that generates security-related events. It explains how to uncover the underlying mechanisms of the provider and how to log events from it. The article explains the process of using IDA to analyze code within ntoskrnl.exe and the parameters of the EtwRegister function. It then explains the EventDescriptor structure and how the EventId is determined. It also explains the different functions that call MiReadWriteVirtualMemory and how the THREATINT_WRITEVM_REMOTE event is logged.

The article provides a detailed explanation of the process of uncovering the underlying mechanisms of the Threat-Intelligence ETW provider. It explains the parameters of the EtwRegister function, the EventDescriptor structure, and how the EventId is determined. It also explains the different functions that call MiReadWriteVirtualMemory and how the THREATINT_WRITEVM_REMOTE event is logged. The article provides a comprehensive overview of the process of uncovering the underlying mechanisms of the Threat-Intelligence ETW provider and how to log events from it. It is a useful resource for anyone looking to understand the process of uncovering the underlying mechanisms of the provider and how to log events from it.

📓 Uncovering Windows Events in ETW 👉🏽 Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. 👉🏽 The Manifest-based Threat-Intelligence ETW provider generates security-related events 👉🏽 In this article we uncover the underlying mechanisms of the provider 👉🏽 Using IDA to analyze code within ntoskrnl.exe 👉🏽 Explaining the parameters of the EtwRegister function 👉🏽 Understanding the EventDescriptor structure and the functions that call MiReadWriteVirtualMemory

original link: https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54

summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/uncovering-windows-events

#ThreatIntelligenceETWProvider #UncoveringMechanisms #EtwRegisterFunction #EventDescriptorStructure #LogEvents