BALTIMORE, MD, October 19, 2016 — Nate Rogers and Ben Lelonek will discuss Event Tracing for Windows (ETW) and its untapped potential for both offensive and defensive purposes. On October 23, 2016 at 12pm (October 22, 9pm EST) at Ruxcon in Melbourne, Australia, they will present their talk entitled, Make ETW Great Again! An article entitled Logging Keystrokes with Event Tracing for Windows (ETW) will be posted to our blog around the time of the talk, so stay tuned.
Event Tracing for Windows (ETW) is nothing new. It's existed in all versions of Windows since Vista and has many detailed blog postings from Microsoft when it first came out (around 2009). It's also been used in a few instances of cybersecurity related research as well as tools ranging from malware research in Academia to abused Admin ("badmin") tools for red teams and penetration testers. In spite of all this, and for reasons we can't figure out, the real potential for ETW remains untapped for both offensive and defensive purposes in virtually all these previous applications.
This talk will show ETW's previous usage in both industry and academia but will focus on its underutilized potential. For the defensive, anti-malware side of the industry ETW has vast potential as new vector for data capture. It can capture ("trace" in ETW speak) events from every facet of a system, including the kernel, file I/O, memory allocation, network activity and .NET usage to name a few, all the while remaining relatively difficult (from malware's perspective) to detect as this mechanism is already native to modern versions of Windows. These events can be captured and parsed dynamically as well as aggregated and parsed later. This versatility allows ETW to provide an alternative mechanism for anti-malware tools but also has applications in sandboxing and automated malware analysis and research. For the anti-malware minded folks in the industry, ETW provides a valuable data source to pursue or aid in the pursuit of existing tools and research.
For the Red Teamers and Pen-Testers, ETW appears to have far more potential than what is currently being leveraged publicly in the community. While examples of cookie stealing and netflow exist this is just the tip of the iceberg. ETW provides thousands of types of events an attacker can potentially access giving him virtually any desired detail about the system. We'll discuss a few of these events in detail and give demos on how they can be abused. Lastly we will demonstrate their usage while highlighting the "stealth" of ETW and why it will be difficult for the AV industry to prevent abuse of ETW by attackers.
Nate is the tech lead of the Security Research Team [SRT] at CyberPoint International. His research focuses on vulnerability research, fuzzing, analyzing high profile malware, dodging managerial responsibilities, and exploring the latest new attack vectors and ways to detect/mitigate them. Professionally, his experience covers the following areas: reverse engineering, malware analysis, infosec-related software development, and penetration testing. He loves tinkering in all areas infosec related and often spends his free time bug hunting or struggling at CTFs. He is currently a graduate student studying Cybersecurity at NYU Poly.
Ben is currently a member of the Security Research Team [SRT] at CyberPoint International. Most of his experience is in software development, primarily on tools for malware analysis. His research interests include automating malware analysis, honeypots, and the Internet of Things. He is currently a graduate student studying Computer Science at UMBC.
At CyberPoint, we work to create a future where individuals and organizations from across the globe can operate safely and securely in cyberspace and benefit from the technological innovations that increasingly connect our world. A rapidly growing cybersecurity company, CyberPoint integrates and delivers innovative, leading-edge services, solutions, and products to protect what's invaluable to customers worldwide. We discover the threats and vulnerabilities that expose data, systems, and infrastructure to compromise, we quantify risks, and we design defenses that provide critical protection.