Anyone aware of any extensions PRs existing or currently in

Question

Anyone aware of any extensions PRs existing or currently in development that use Event Tracing for Windows ETW for real time eventing on Windows specific stuff PowerShell and WMI events for example

packetzero · Answer

Alienvault has an implementation of process and network events using ETW The schema is different than process events It s also based on v3 3 1 codebase I didn t finish porting it to v4 x branch It s based on this library <https github com AlienVault Engineering libetw>

Chris B · Answer

This is pretty awesome It covers a lot of providers I think it would be a great starting point for the trace providers I mentioned Do you plan to finish porting that over at any point

packetzero · Answer

My last day at Alienvault is this Friday so I ran out of time unfortunately

Chris B · Answer

Ahh I see I just had a requirement at work to add socket event support for Mac but not sure if they ll let me work windows since we are not a windows shop

packetzero · Answer

you might be interested in this for MacOS <https github com packetzero libntstat>

packetzero · Answer

OS api support for UDP is weak as it is for linux Which will be a challenge when HTTP3 becomes ubiquitous

Chris B · Answer

That s awesome I ll be sure to check it out Are you saying openbsm and auditd are inconsistent lossy on Udp connections

Chris B · Answer

I have not tested thoroughly but I expected openbsm audit would publish all syscalls My subscriber is watching connect and bind calls

manu · Answer

< thor> also had some partial changes in his branch related to ETW for evented tables

thor · Answer

Ah yeah I really wanted that to take off but honestly I think the better path forward would be to try and get KrabsETW integrated with osquery and leverage that

manu · Answer

yeah krabsetw would be a great choice i had experimented with that in past

Chris B · Answer

KrabsETW is awesome I was able to develop a PoC userland EDR tool with it that monitored like 8 high impact windows events in 2 3 weeks I thought about trying to integrate that but thought maybe it would be too heavy

Chris B · Answer

I was just thinking how awesome it would be if osquery could monitor things like PowerShell WMI service changes and task scheduler out of the box instead of having to make all the complex group policy changes in Windows audit configuration

packetzero · Answer

KrabsETW is great and it covers all the different conditions I originally looked at using it for events provider However I was scared away by the size and use of schema and TDH lib to parse out all the properties For an event source you want to filter out and use only what you need For that reason I opted for direct use of ETW data structures and only parsing what is needed One of these days I need to do some performance analysis and see if the Krabs overhead is insignificant

Chris B · Answer

In theory I feel using ETW directly via TDH would be the way to go When I was developing I used Microsoft message analyzer and it s plugin for ETW event subscribers to help create the data filters and parse the fields I needed

Chris B · Answer

And yeah I am not sure about the weight of krabsetw but i remember it seemed very heavy at the time Also in some ways it was convenient but there were instances where the extra layer of abstraction actually complicated things when I wanted to pull parse data that wasn t supported by krabsetw yet

Chris B · Answer

But yeah agree that it is a pretty intimidating task

manu · Answer

Evented tables will tend to be heavy and with proper filters and control flags one can keep these tables usable But either ways having these tables within core would be great addition without the need for some other agent like sysmon or extension when osquery is already installed