Today, defenders consume the Windows Event Log to detect intrusions. While useful, audit logs don't capture the full range of data needed for detection and response. ETW (Event Tracing for Windows) is an additional source of events that defenders can leverage to make post-breach activity more visible in Windows.
ETW provides a rich set of data, largely intended for debugging scenarios. As a side effect, these traces also have data that is ideal for detecting potentially malicious behavior, such as raw networking data and detailed PowerShell data. Unfortunately, the ETW API is low level and primitive, making it difficult to use at scale reliably. Because our security team in Office 365 supports monitoring over 150,000 machines, we needed a reliable way to consume the events in real-time, while adhering to strict memory and CPU usage constraints. To accomplish this, our team built the open-source krabsetw library to simplify dynamically consuming ETW events. We currently use this library to collect 6.5TB of data per day, from our service.
In this talk, we’ll discuss a few ETW sources we’ve found to be high value as well as the detections they enable. We’ll also demo an example of using krabsetw as well as some considerations in using ETW in your intrusion detection pipeline at scale.
Zac Brown is a Senior Software Engineer at Microsoft on the Office 365 team, working on security for OneDrive/SharePoint Online. He started his career at Microsoft in the Windows division seven years ago working on developer experience, COM, and performance. Zac fell into security by accident and doesn’t consider himself a security professional but rather a software engineer first. He’s passionate about building efficient systems at scale and not getting breached. In his free time, he enjoys spending time with his wife and goofball dogs, making BBQ (smoking), reading, and trying in vain to learn Haskell. @zacbrown