Driverless and userland Live Forensic with Event Tracing for Windows (ETW) to track suspicious network behaviour
Analysis should not relies only on beautiful dashboards on your SIEM
When you talk about incident response and network analysis, you are often confronted with two approaches (which can be sometimes implemented together) :
IOC analysis based on whitelists,blacklists, indicators of compromise and technical CTI data, you can compare every IP/domain connection to your indicators and try to find what’s wrong in your network traffic. Personnaly, except in rare case, i consider using only IOC based analysis a pure waste of time. But i won’t detail why, it’s not the purpose of this post.
Behavioral analysis: generally speaking, malicious network connections can be analyzed through recognizable behaviours like beaconing or data exfiltration. If you find a way to detect those behaviours, you are almost no longer dependent on a need for IOC.
However, in behavioral analysis, you have to put aside all the “buzz words” like AI, big data or machine learning… Those who believe that a tool or a technical solution can do the job that people are paid to will never detect an incident on their own. Most of the time, these people find technical means to try to mitigate that they do not know how to define and detect malicious behavior. Generally that is because they do not understand how a malware works. If an analyst cannot identify malicious behaviour alone, no need to go further, all is already lost.
Behind this criticism, let’s try to make the incident response world better than it is in many structures, even the biggest. So today, i suggest to talk a little bit about network oriented live forensic and ETW.
What is ETW?
Event Tracing for Windows is meant to provide low overhead tracing as compared with Windows Performance Monitor. ETW usually takes up no more than 5 percent of the CPU and can log up to 20,000 events per second. It’s fast enough to enable tracing in real time. ETW uses a provider-based model; in this case a provider is a system or application component that sends events to the event system.
ETW has the advantage of not requiring any prior tool installation (nor any reboot) and of being possible on all versions of Windows since Windows 2000. It also has the advantage of having a minimal impact on the performance of the machine. It is therefore perfectly suited to a live forensic analysis on a Windows machine. If the detection technique of the process communicating on the network is theoretically circumventable (frame injection directly at the Ethernet level, for example), the use of this method proves to be effective in practice.
(ab)using ETW in live forensic / incident response
ETW provides more detailed information on the operating system environment and application interaction than other logging services on Windows. In addition, ETW does this with less overhead and higher efficiency. It relies on three components:
Controllers: enable providers to log events to a session. They start, stop and define event trace sessions as well as specify the session/log file name, location, type and define the way of resolving date-time stamps.
Providers: applications equipped with event tracing instrumentation. When they are enabled by a controller, they send log events to a consumer.
Consumers: consume events from one or more event tracing sessions and retrieve events stored in log files along with logs from other real-time sessions. In this context, the log collector(s) act as consumers, ingesting generated events from enabled providers.
ETW providers
Windows has a lot of ETW providers, you can list them with the followind command:
logman query providersAlthough it is difficult to find the documentation, using logman but also some applications such as ETW Explorer, you will quickly understand that these providers provide a lot of information.
Using ETW providers has two advantages in my opinion: on the one hand, most data can be queried only with user rights. Moreover, you can choose to consume this data either directly or to log it through the event tracing log format (etl).
What can we see with ETW? A lot of things! Filesystem activity, Windows registry queries, BITS, RPC, Security events, COM/WMI calls, but also a lot of things from the network protocol stack. And since it’s all native, you don’t need a driver or even heavy components to make it work. Typically you can subscribe to ETW provider events from the Windows performance manager. But we will see that you can also make a more robust analytic solution soon ;)
ETW and network monitoring
Network tracing use the Event Tracing for Windows (ETW) framework available in Windows. Network components (such as Winsock, TCP/IP, NDIS, packet-capture, and so on) register as ETW trace providers and emit events related to network activity. Any recordable activity of significance can be an event logged to ETW.
Start with what you want to detect and then collect the necessary information, not the opposite
So what are my needs? more logs, more data, full packet capture… NO, not this time.
First, i want to identify suspicious behaviour on a couple of workstations on which I have a doubt that a malware is installed and communicates with a command and control server. If so, it is probably working like any other malware and it is beaconing to tell the attacker that the PC is alive and ready to execute command. Because that attacker think that i’m too bad to see him, this beaconing is, like any other, dependant of a loop with a static and hardcoded sleep. So if i can found any network connection that respond to the followings criterias, i should investigate. Here’s a simple equation without big data:
Considering “x” as a network transaction from my workstation to a single IP address and “x-n” the “n” previous network transaction from the same source host to the same destination IP address while bytes_in + bytes_out of anly of this transaction is < 1MB:
timestamp x — timestamp x-1 == timestamp x-1 — timestamp x-2 == timestamp x-2 — timestamp x-3
You can also think for a second use case:
(any TCP transaction when bytes_out > bytes_in when bytes_in < 1MB) AND (bytes_in + bytes_out < 1MB) AND (connection issue from a process with a PPID OR user_session_loggedOn_timestamp — network_transaction_timestamp > 1 minute)
With these two simple rules, you can limit false positives scenarios like startup antivirus / windows application checking for update or legitimate user action. It doesn’t mean that it will make miracles, but 9.9 times / 10, you will find what you are looking for: suspicious (and probably malicious) behaviour.
How to do to this with ETW?
Some Windows processes like performance monitor (GUI) and logman (CLI) could help you listening to desired behaviours and log everything in event tracing log files (*.etl). Theses files could then be consumed by tracerpt or beeing sent to your SIEM for futher analysis.
One of the drawbacks of ETW is to find out which provider has which information. Even though there are some resources on the subject on the Internet, Microsoft has not documented this tool much. However, some third party tools are really useful for this. Personnally, i would suggest Windows Event Providers Explorer. By collecting data related to DNS queries and TCP/IP connections and analyzing them correctly to identify behaviours such as those I introduced above, you are ont the right way to detect many malicious network behaviors.
Lot of tools are available to assist you collecting and visualizing ETW data. They are mostly opensource on github. Moreover, there is also a lot of libraries to help you binding and processing event tracing providers in your own software / script. On my side, I already worked a lot on DNS queries and network transaction analysis in a personal project that I will put open source soon. While waiting to present it, probably in a new article, I hope this article can expand your detection capabilities and will let you re/discover ETW
