Anyone aware of any extensions/PRs existing or currently in development that use Event Tracing for Windows (ETW) for real time eventing on Windows-specific stuff? PowerShell and WMI events for example?

Alienvault has an implementation of process and network events using ETW. The schema is different than process_events. It's also based on v3.3.1 codebase. I didn't finish porting it to v4.x branch. It's based on this library: https://github.com/AlienVault-Engineering/libetw

This is pretty awesome! It covers a lot of providers. I think it would be a great starting point for the trace providers I mentioned. Do you plan to finish porting that over at any point?

My last day at Alienvault is this Friday, so I ran out of time unfortunately.

Ahh I see. I just had a requirement at work to add socket event support for Mac but not sure if they’ll let me work windows since we are not a windows shop. :(

you might be interested in this for MacOS : https://github.com/packetzero/libntstat

That’s awesome, I’ll be sure to check it out. Are you saying openbsm and auditd are inconsistent/lossy on Udp connections?

@thor also had some partial changes in his branch related to ETW for evented tables. https://github.com/muffins/osquery/commits/win-etw-publisher

Ah yeah, I really wanted that to take off but honestly I think the better path forward would be to try and get KrabsETW integrated with osquery and leverage that

yeah krabsetw would be a great choice. i had experimented with that in past.

KrabsETW is awesome. I was able to develop a PoC userland EDR tool with it that monitored like 8 high impact windows events in 2-3 weeks. I thought about trying to integrate that but thought maybe it would be too heavy.

KrabsETW is great and it covers all the different conditions. I originally looked at using it for events provider. However I was scared away by the size and use of schema and TDH lib to parse out all the properties. For an event source, you want to filter out and use only what you need. For that reason, I opted for direct use of ETW data structures and only parsing what is needed. One of these days I need to do some performance analysis and see if the Krabs overhead is insignificant.

In theory I feel using ETW directly via TDH would be the way to go. When I was developing I used Microsoft message analyzer and it’s plugin for ETW event subscribers to help create the data filters and parse the fields I needed.

Evented tables will tend to be heavy and with proper filters and control flags one can keep these tables usable. But either ways having these tables within core would be great addition without the need for some other agent like sysmon or extension when osquery is already installed.