We mentioned previously that ETW connects providers and consumers, so our first task is simply to find a provider that will provider relevant data. In this blog post, we will be building a Velociraptor query to monitor for DNS lookups on the endpoint. In this blog post we will go through some examples to illustrate the general technique but there are so many possibilities for advanced detection rules. In Velociraptor, event queries allow us to write real time monitoring rules on the endpoint, then forward events to the server, enrich the event with other information or respond to the event autonomously. If you have not read about Velociraptor’s event queries, check out the documentation. Velociraptor provides the VQL event plugin watch_etw() to register Velociraptor as a Consumer. In a nutshell, the framework is designed to facilitate interaction between event Consumers and event Providers. ![]() The Event Tracing for Windows framework is documented extensively by Microsoft. Much has been written about ETW, so I will not cover the details here, this blog post is the first of a series of posts that examine how we can leverage ETW for security monitoring using Velociraptor specifically. In Windows, system instrumentation is provided by the Event Tracing For Windows (ETW), an extensive framework for instrumentation and visibility. This is obviously important for system administrators and software developers, but visibility into machine state is increasingly being used for security monitoring and response. ![]() Instrumentation provides the visibility to understand what the system is doing at any given moment. One of the most important aspects of modern operating systems is instrumentation of the running software on the system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |