Today, defenders consume the Windows Event Log to detect intrusions. While useful, audit logs don't capture the full range of data needed for detection and response. ETW (Event Tracing for Windows) is an additional source of events that defenders can leverage to make post-breach activity more visible in Windows.
ETW provides a rich set of data, largely intended for debugging scenarios. As a side effect, these traces also have data that is ideal for detecting potentially malicious behavior, such as raw networking data and detailed PowerShell data. Unfortunately, the ETW API is low level and primitive, making it difficult to use at scale reliably. Because our security team in Office 365 supports monitoring over 150,000 machines, we needed a reliable way to consume the events in real-time, while adhering to strict memory and CPU usage constraints. To accomplish this, our team built the open-source krabsetw library to simplify dynamically consuming ETW events. We currently use this library to collect 6.5TB of data per day, from our service.
In this talk, we’ll discuss a few ETW sources we’ve found to be high value as well as the detections they enable. We’ll also demo an example of using krabsetw as well as some considerations in using ETW in your intrusion detection pipeline at scale.