• Replies 0 replies
  • Subscribers 13 subscribers
  • Views 971 views
  • Users 0 members are here
Options
Related

[New] InTrust ETW provider Technical Preview

Sergey.Goncharenko
over 3 years ago

We are happy to announce an InTrust add-on that can enable collection of ETW debug traces from windows machines.

What is ETW traces?

ETW datasource is capable of automatically enabling and collecting ETW traces into the InTrust repository. In the Technical Preview we have the following data from ETW providers:

  • Use of Windows Data Protection API(DPAPI)
  • Use of the Microsoft.NET Framework API calls
  • Operation of the Windows EventLog service
  • Operation of the SMB service,which is responsible for management of and access to network shares and printers
  • Use of Windows Management Instrumentation (WMI)
  • Windows PowerShell scripting use
  • DNS resolutions
  • Creation,renaming and deletion of files and folders
  • Startup and shutdown of processes in the system
  • Registry operations:reading,writing,creation and deletion of registry keys and values
  • LDAP queries to Domain Controllers 
  • Windows GUI operations such as clipboard data transfer
  • Internal HTTP requests using IE OS components
  • and more

You may ask, "wait, but why do I need this if process monitoring can be enabled via GPO?" and the answer would be - ETW works without GPO policy settings and do not log anything, which means is not being exposed to the endpoint users in any shape or form.

Keep in mind that ETW traces could create significant amount of the event traffic and should be enabled for limited period of time to guide threat hunters to a confirmation of their detection theory. The theory then in a form of ETW events could be used to create an InTrust alert and operators can be alerted on similar suspicious activities without the need to collect traces into the server repository. Or the corresponding search filter can be created that will forward data to the SIEM system.

Some ETW traces such as LDAP queries do not generate significant amount of data and can be enabled on a regular basis.

For the release of this functionality we are planning to add a capability to specify any custom ETW provider for data collection and better support of security alerts creation.

Add-on in a form of a hotfix can be downloaded from the KB article https://support.quest.com/kb/322580, make sure to check documentation that goes with the add-on

Please, feel free to provide your feedback about the functionality in this post