make etw great again
play

Make ETW Great Again. Exploring some of the many uses of Event - PowerPoint PPT Presentation

Feb 11, 2024 •595 likes •1.05k views

Make ETW Great Again. Exploring some of the many uses of Event Tracing for Windows (ETW) Ben Lelonek Nate Rogers CyberPoint is a cyber security company. Were in the business of protecEng whats invaluable to you. Who We Are

  1. Make ETW Great Again. Exploring some of the many uses of Event Tracing for Windows (ETW) Ben Lelonek Nate Rogers

  2. CyberPoint is a cyber security company. We’re in the business of protecEng what’s invaluable to you.

  3. Who We Are CyberPoint Security Research Team • www.cyberpointllc.com/srt • SRT@cyberpointllc.com • @CyberPoint_SRT Nate “Million Dollars” Rogers Ben “Texas Dirt” Lelonek • CyberPoint Interna6onal • CyberPoint Interna6onal – Security Research Team / – Security Research Team Lead Developer • Student at NYU • Student at UMBC • Previously: – eEye Digital Security • TwiEer: @ Conjectural_Hex – Make ETW Great Again – Ruxcon 2016

  4. What we’re going to be talking about. • What is ETW • Quick Overview of ETW • Usage Examples • Public Uses and Research • ETW for Malware Detec6on • ETW for Red Team • Mi6ga6ons • Ques6ons Make ETW Great Again – Ruxcon 2016

  5. What is Event Tracing for Windows (ETW)? • Built-in, general purpose, logging and diagnos6c framework • Efficient: high speed, low overhead • Dynamically enabled or disabled • Log to file or consume in real 6me • Used for performance analysis and general debugging Source: • Example usage h*ps://msdn.microso3.com/en-us/windows/hardware/commercialize/test/weg/weg-performance – Google Chrome • Performance analysis & profiling • UIforETW Make ETW Great Again – Ruxcon 2016

  6. Quick Overview of ETW • First introduced in Windows 2000 Providers by Windows Version • Greatly expanded in Vista 1200 1052 – New manifest-based providers 956 1000 and logging in more than just 800 656 the kernel 600 – More in each OS since 431 400 200 3 3 0 Windows Windows Windows Windows 7 Windows Windows 2000 XP Vista 8.1 10 • Ease of use improved with each OS – Windows 2000 – MOF classes and WMI – Windows Vista – XML Manifests – Windows 8/.NET 4.5 – EventSource (C#) – Windows 10 – TraceLogging Make ETW Great Again – Ruxcon 2016

  7. How to View ETW Events • API – Less commonly used, focus of our work – Microsol.Diagnos6cs.Tracing.TraceEvent.dll – C/C++/C#/etc • Command Line / Applica6ons – More commonly used – Built-in: Logman, TraceRpt, Event Viewer, Performance Monitor, wevtu6l – Installable: Xperf, PerfView, Netmon, Microsol Message Analyzer, Windows Performance Analyzer • PerfView example… Make ETW Great Again – Ruxcon 2016

  8. Viewing ETW Events – PerfView Teslacrypt reading files in System32 Make ETW Great Again – Ruxcon 2016

  9. ETW Example Providers • Lis6ng providers • Lis6ng running sessions Make ETW Great Again – Ruxcon 2016

  10. Using ETW • ETW Events are handled Asynchronously – System / Applica6on writes them to the kernel – Consumers must establish a session and subscribe to get data • Typical ETW Structure – C/C++: EVENT_HEADER, EVENT_RECORD, EVENT_TRACE structures and trace data helper (TDH) func6ons – C#: TraceEvent object, PayloadStringByName() • Mechanism – OS-side implementa6on details not publicly available – Callbacks from the OS • Events Can be Collected Remotely – Configured via WMI, Powershell – Collector machine pulls data from workers Make ETW Great Again – Ruxcon 2016

  11. TraceEvent object TONS of informa6on! Make ETW Great Again – Ruxcon 2016

  12. Using ETW API (C#) Example Simple UAC Event Listener • Extremely easy to implement Make ETW Great Again – Ruxcon 2016

  13. Great, so what does this have to do with security? • Extensive Integra6on with Windows – Much of the Windows API logs to ETW – Vast amount of Windows Subsystems have providers – Can be used to collect informa6on for both aEackers & defenders/auditors • Universally Deployed in Windows – Exists (in some form) in every version since Windows 2000 – Data provider enabled on demand – Huge poten6al for abuse • We’ll get back to this later… – Great poten6al for defensive applica6ons/research • Lots of poten6al data points for collec6on/heuris6cs – process, .NET/CLR, Kernel, IO, Files, Memory, UAC, Logins, Crypto, Firewall, SMB, TCPIP, MANY more… • Some examples/tools exist but can be improved Make ETW Great Again – Ruxcon 2016

  14. Public Uses and Research • Defensive • Offensive – Data Mining Heuris6cs – Persistence • Collec6ng ETW logs to detect • ETW triggering service execu6on malware – Packet capture – Ransomware detec6on (not • logman/netsh for capturing network ETW) traffic • Track file IO / handles – “SSL Sidejacking” / Cookie – Similar to our technique (next Stealing slide) • ETW listener for WinINet can snoop – Uses driver on traffic (even SSL/TLS) Make ETW Great Again – Ruxcon 2016

  15. ETW Malware DetecEon: Room for Improvement • Few malware ETW tools – Exis6ng techniques all use external EXEs • Logman.exe, wevtu6l.exe, PerfView, etc. • Olen focus on network traffic (!Ransomware) – Can’t parse in “real” 6me • Must log to disk then parse • Ransomware ETW solu6ons? – Virtually none • Goals: – More lightweight (less overhead) solu6ons would be op6mal – Na6ve ETW API • Standalone binary with no dependencies – Sta6c AND Dynamic • Detect Ransomware in real 6me • Also support captures (.etl) Make ETW Great Again – Ruxcon 2016

  16. DetecEng Ransomware – Our Approach Classify and DisEll Ransomware Behavior • Iterate files – Extension based, loca6on based, etc. • Read/wri6ng to files – access 6mes, crea6on 6mes, different sizes (read vs. write) , loca6on • Encryp6on – AES, custom, GOST, RSA, Blowfish, TripleDES, XOR, RC4, Salsa20, TEA, zip, rar, etc. • Move/Rename/Copy/Delete – Many different ways to deal with “original” file Make ETW Great Again – Ruxcon 2016

  17. DetecEng Ransomware – Our Approach (cont.) Is generalizaEon of behavior possible for all samples? • Read then Write – Yes, but varies… – Lots of false posi6ves – Timing Threshold? • account for OS delays, itera6ons, etc. • File Size Delta? – Encrypted file vs. original – Different encryp6on, IVs, etc., add size! – Sizes deltas vary • Lots of false posi6ves in benign processes • File Name Changes – Original file name vs. Encrypted – Original is in encrypted name (in some form) • Almost always • Encryp6on – Too much variance for generic rule Make ETW Great Again – Ruxcon 2016

  18. DetecEng Ransomware – Our Approach (cont.) • Generic Detec6on Algorithm – Track writes to files that were previously read • Must be the same PID • Must be within 6me threshold 80ms – Highest average ~49ms (Nanolocker) • Must be within size delta threshold 1024 bytes – Higher than needed for malware – Browser caches and temp files – If above criteria is met increment SuspiciousEvent counter • Suspicious Event Counter = 3 – Filter false posi6ves • temp files, caching, windows search, etc. Suspicious! PID Time Size Make ETW Great Again – Ruxcon 2016

  19. DetecEng Ransomware – Our Approach (cont.) • Which provider is needed? – “Windows Kernel” – Can use others but not necessary • What data is needed from provider? – “Type Field” • “FileIOReadWriteTraceData” • Mul6ple Event Types – EventName • “ FileIO/Write” • “FileIO/Read” – “OpCode” • Sub-types know as OpCodes • represented with INT and ASCII name – OpcodeNames: “Read”, “Write” – Opcode Values: 0x67, 0x68 Make ETW Great Again – Ruxcon 2016

  20. What can we detect? • EVERYTHING! (That we tested.) • Specifically, cerber, chimera, ctb-locker, locky, hydracrypt, jigsaw, lockscreen, mobef, radamant, samsam, shade, teslascrypt, torrentlocker, trucrypter, 7ev3n, coverton, kimcilware, petya • Generically detected all samples • Even those with (relaCvely) low detec6ons on VirusTotal • TorrentLocker: Make ETW Great Again – Ruxcon 2016

  21. ETW & Ransomware DetecEon LimitaEons • Not Perfect – Needs at least 3 files to be encrypted to be effec6ve • Dynamic Captures can be delayed – Varies greatly – Depends on number of consumed events, system ac6vity, etc. – Usually small delay • Hard to Hide Sessions from Malware and AEacker – Easy for malware to see who’s “listening” • Trivial to access... Make ETW Great Again – Ruxcon 2016

  22. Malware DetecEon of ETW How easily can aEackers “see” ETW? • An6-Analysis? • Easy to see sessions – logman.exe, C# API • No Baseline of sessions or providers – Which are good? Which are bad? Make ETW Great Again – Ruxcon 2016

  23. ETW Providers for Red Team Tons of poten6al ETW providers! • Some uses are obvious – Winlogin, SCM, WLAN, WMI, Firewall, UAC, TCPIP, Task Scheduling, SMB, SmartCards, Terminal Services, Powershell, Loca6on, Kernel Resources/ Events,IPSEC, FileHistory/FileManage, DNS/DHCP Client, BlueTooth, Bits, BitLocker, Cryptography, An6malware, LsaSrv, SAM, Ac6veDirectory • Some are a liEle less... – Microsol-Windows-Bluetooth-HidBthLE – Microsol-Windows-USB-UCX – Microsol-Windows-WinINet – Etc…. Most have Good Poten6al • All require closer inspec6on before use – Some more than others (USB) • Lots of Metadata – Must be filtered out Make ETW Great Again – Ruxcon 2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hello. Its great to be able to make this presenta5on via webinar for all those who were not

Hello. Its great to be able to make this presenta5on via webinar for all those who were not

Hello. Its great to be able to make this presenta5on via webinar for all those who were not able to a9end the recent Triangle Marke5ng Club meetup where I made the same presenta5on. 1 My name is Douglas Burde9 and Im the founder and

707 views • 41 slides
The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build healthy relationships that help them through high school. They make lots of great memories! Band kids score better on standardized tests. The College

457 views • 18 slides
The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build healthy relationships that help them through high school. They make lots of great memories! Band kids score better on standardized tests. The College

618 views • 19 slides
Scholarships 101 SCHOLARSHIPS Write a GREAT essay Make it personal Resume

Scholarships 101 SCHOLARSHIPS Write a GREAT essay Make it personal Resume

Scholarships 101 SCHOLARSHIPS Write a GREAT essay Make it personal Resume Proofread Research online Embassy FREE MONEY Usually awarded based on: Academic achievements Interests & career plans

428 views • 5 slides
Make Your Reports Look Great with the Versatile Proc Tabulate Ben Cochran The Bedford Group

Make Your Reports Look Great with the Versatile Proc Tabulate Ben Cochran The Bedford Group

Make Your Reports Look Great with the Versatile Proc Tabulate Ben Cochran The Bedford Group bencochran@nc.rr.com A Silver Member of the SAS Alliance Make Your Reports Look Great with the Versatile Proc Tabulate by Ben Cochran Bio:

547 views • 32 slides
L ESSON 6- M AKING A GREAT PRESENTATION Acknowledgement: Most images and some contents of this

L ESSON 6- M AKING A GREAT PRESENTATION Acknowledgement: Most images and some contents of this

L ESSON 6- M AKING A GREAT PRESENTATION Acknowledgement: Most images and some contents of this presentation are borrowed from the internet. H OW TO MAKE A GREAT PRESENTATION ? There are hundreds different ways to make a presentation.

494 views • 18 slides
Attendance via Zoom Lets try to make this a great experience for all of us: Please check your

Attendance via Zoom Lets try to make this a great experience for all of us: Please check your

Attendance via Zoom Lets try to make this a great experience for all of us: Please check your setup before the meeting. We start all calls 10 minutes early, where you can do so. Please connect before the meeting starts. Please join using your

318 views • 13 slides
TCP/IP Sockets in C Computer Chat How do we make computers talk? Great and inexpensive book:

TCP/IP Sockets in C Computer Chat How do we make computers talk? Great and inexpensive book:

TCP/IP Sockets in C Computer Chat How do we make computers talk? Great and inexpensive book: How are they interconnected? Michael J. Donahoo Kenneth L. Calvert Internet Protocol (IP) Morgan Kaufmann Publisher $14.95 Paperback

299 views • 9 slides
TO DEVELOP GREAT TEACHING? #SNEsummit15 What will it taketo develop great teaching? Robert

TO DEVELOP GREAT TEACHING? #SNEsummit15 What will it taketo develop great teaching? Robert

What will it take TO DEVELOP GREAT TEACHING? #SNEsummit15 What will it taketo develop great teaching? Robert Coe SCHOOLS NorthEast Summit 2015 My argument If you make decisions about education, you should be informed by a

474 views • 32 slides
JaTest Build Software So Secure You May Actually Make America Great Again Jake Weissman,

JaTest Build Software So Secure You May Actually Make America Great Again Jake Weissman,

JaTest Build Software So Secure You May Actually Make America Great Again Jake Weissman, Andrew Grant, Jemma Losh, Jared Weiss Why JaTest? JaTest promotes good coding practices, allowing the programmer to easily define test cases,

791 views • 22 slides
MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - 29/10/2016 1 whoami

MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - 29/10/2016 1 whoami

MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - 29/10/2016 1 whoami Security researcher at Cisco in the Talos group Ph.D. Telecom ParisTech/Eurecom Hackademic Malware analysis / memory forensics 2 ROOTKIT

806 views • 45 slides
10 Tips to Great Mentoring LeAnn Johnson, Ph.D . Shepherd University 1. Make Time Build a

10 Tips to Great Mentoring LeAnn Johnson, Ph.D . Shepherd University 1. Make Time Build a

10 Tips to Great Mentoring LeAnn Johnson, Ph.D . Shepherd University 1. Make Time Build a regular mee6ng 6me with your mentee into your schedule. Dont let other things bump it. Stay focused. 2. Rapport Think back to your own

651 views • 12 slides
Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great

Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great

1 Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great Asean Fastest Growing Area of Threats Over 200 Billion devices connected worldwide by 2020. Over 13 million active bots recorded for January 2019.

766 views • 38 slides
Make Streaming Great Again IEEE ComSoc Distinguished Lectures Portland State University, Dec.

Make Streaming Great Again IEEE ComSoc Distinguished Lectures Portland State University, Dec.

Make Streaming Great Again IEEE ComSoc Distinguished Lectures Portland State University, Dec. 2019 Ali C. Begen, PhD http://ali.begen.net Ankara BS in EE Toronto, ON Istanbul San Jose, CA Adv. Res. and Dev. Prof. in CS Dept. Atlanta,

681 views • 49 slides
Make Your Macro Great from the Very Beginning Yuliia Bahatska Vladlen Ivanushkin Syneos Health

Make Your Macro Great from the Very Beginning Yuliia Bahatska Vladlen Ivanushkin Syneos Health

Make Your Macro Great from the Very Beginning Yuliia Bahatska Vladlen Ivanushkin Syneos Health DataFocus PhUSE EU Connect 2018, Frankfurt INTRODUCTION This is me when I think of my first macro 2 THE COUNTW FUNCTION

561 views • 29 slides
Great Eagle Holdings Investor Presentation 3Q15 1 Great Eagle Holdings Limited Financials

Great Eagle Holdings Investor Presentation 3Q15 1 Great Eagle Holdings Limited Financials

Great Eagle Holdings Investor Presentation 3Q15 1 Great Eagle Holdings Limited Financials Highlights of 1H 2015 Results 1. The Group has continued to make positive progress with its strategy to expand its asset base and thus far into 2015,

646 views • 43 slides
Housing Supportive Services in Californias Whole Person Care Pilots and ACA 2703 Health Home

Housing Supportive Services in Californias Whole Person Care Pilots and ACA 2703 Health Home

Housing Supportive Services in Californias Whole Person Care Pilots and ACA 2703 Health Home Program Brian Hansen Health Program Specialist II - Health Care Delivery Systems California Department of Health Care Services July 24, 2017 2

574 views • 16 slides
Population Health @ HCGH Prepared for MDH Population Health Summit, 12/4/18 Elizabeth Edsall

Population Health @ HCGH Prepared for MDH Population Health Summit, 12/4/18 Elizabeth Edsall

Population Health @ HCGH Prepared for MDH Population Health Summit, 12/4/18 Elizabeth Edsall Kromm, PhD, MSc VP Population Health & Advancement, HCGH 1 Discussion Agenda Developing a community health strategy Value of aligned

324 views • 11 slides
Neo4j @ Gamesys Toby ORourke March 2013 Overview About Gamesys Our

Neo4j @ Gamesys Toby ORourke March 2013 Overview About Gamesys Our

Neo4j @ Gamesys Toby ORourke March 2013 Overview About Gamesys Our Use Case Choosing a Store Building the App Deployment & Ops Cypher &

369 views • 12 slides
SQL Injec*on We have men*oned security a few *mes now

SQL Injec*on We have men*oned security a few *mes now

SQL Injec*on We have men*oned security a few *mes now The most important thing to realize as a Web developer / administrator is that hackers

576 views • 10 slides
On Massey products and triangulated categories Fernando Muro Universitat de Barcelona Dept.

On Massey products and triangulated categories Fernando Muro Universitat de Barcelona Dept.

On Massey products and triangulated categories Fernando Muro Universitat de Barcelona Dept. lgebra i Geometria Homotopy Theory and Higher Categories 20072008 Workshop on Derived Categories Fernando Muro On Massey products and

1.3k views • 108 slides
EI331 Signals and Systems Lecture 18 Bo Jiang John Hopcroft Center for Computer Science

EI331 Signals and Systems Lecture 18 Bo Jiang John Hopcroft Center for Computer Science

EI331 Signals and Systems Lecture 18 Bo Jiang John Hopcroft Center for Computer Science Shanghai Jiao Tong University April 25, 2019 Contents 1. DT Fourier Transform 2. Properties of DT Fourier Transform 1/33 DT Fourier Transform Let x be

1.1k views • 34 slides
Constraining anomalous HVV interac2ons at proton and lepton

Constraining anomalous HVV interac2ons at proton and lepton

Constraining anomalous HVV interac2ons at proton and lepton colliders Yaofu Zhou Johns Hopkins University The 2014 Phenomenology Symposium May 5,

600 views • 28 slides
CompSci 356: Computer Network Architectures Lecture 3: Network Architecture Examples and Lab 1

CompSci 356: Computer Network Architectures Lecture 3: Network Architecture Examples and Lab 1

CompSci 356: Computer Network Architectures Lecture 3: Network Architecture Examples and Lab 1 Xiaowei Yang xwy@cs.duke.edu Overview The Internet Architecture OSI Network Architecture Lab 1 Released Due: Jan 29, 11:59pm via

746 views • 63 slides

More recommend