ETW Forensics - Why use Event Tracing for Windows over EventLog? - - JPCERT/CC Eyes
Tags
cmtmf-attack-pattern: Process Injection
attack-pattern: Data Dns - T1071.004 Dns - T1590.002 Hardware - T1592.001 Malware - T1587.001 Malware - T1588.001 Process Injection - T1631 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Process Injection - T1055
Show in Graph
Common Information
Type Value
UUID 1ab0db8e-787e-48aa-8a0a-a4ea995f0f8c
Fingerprint 689f08c1b5528e36
Analysis status DONE
Considered CTI value 0
Text language
Published Nov. 14, 2024, midnight
Added to db Nov. 14, 2024, 2:15 a.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline JPCERT/CC Eyes
Title ETW Forensics - Why use Event Tracing for Windows over EventLog? - - JPCERT/CC Eyes
Detected Hints/Tags/Attributes 34/2/12
Source URLs
Redirection Url
Details Source https://blogs.jpcert.or.jp/en/2024/11/etw_forensics.html
URL Provider
Details Provider Source level domain
Details jpcert.or.jp blogs.jpcert.or.jp
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 62 JPCERT/CCブログ 英語版 https://blogs.jpcert.or.jp/en/atom.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 4127 
github.com
Details Domain 207 
learn.microsoft.com
Details Domain 7 
www.geoffchappell.com
Details File 4 
test.csv
Details File 29 
www.geo
Details File 109 
index.htm
Details Github username 23 
jpcertcc
Details Url 1 
https://github.com/jpcertcc/etw-scan
Details Url 1 
https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing
Details Url 1 
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/logman
Details Url 1 
https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/index.htm
Details Url 1 
https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/tracefmt