Title
#general
c

Chris B

11/14/2019, 11:14 PM
Anyone aware of any extensions/PRs existing or currently in development that use Event Tracing for Windows (ETW) for real time eventing on Windows-specific stuff? PowerShell and WMI events for example?
packetzero

packetzero

11/14/2019, 11:32 PM
Alienvault has an implementation of process and network events using ETW. The schema is different than process_events. It's also based on v3.3.1 codebase. I didn't finish porting it to v4.x branch. It's based on this library: https://github.com/AlienVault-Engineering/libetw
c

Chris B

11/14/2019, 11:39 PM
This is pretty awesome! It covers a lot of providers. I think it would be a great starting point for the trace providers I mentioned. Do you plan to finish porting that over at any point?
packetzero

packetzero

11/14/2019, 11:46 PM
My last day at Alienvault is this Friday, so I ran out of time unfortunately.
c

Chris B

11/14/2019, 11:48 PM
Ahh I see. I just had a requirement at work to add socket event support for Mac but not sure if they’ll let me work windows since we are not a windows shop. 😦
packetzero

packetzero

11/15/2019, 12:01 AM
you might be interested in this for MacOS : https://github.com/packetzero/libntstat
12:03 AM
OS api support for UDP is weak, as it is for linux. Which will be a challenge when HTTP3 becomes ubiquitous.
c

Chris B

11/15/2019, 12:44 AM
That’s awesome, I’ll be sure to check it out. Are you saying openbsm and auditd are inconsistent/lossy on Udp connections?
12:45 AM
I have not tested thoroughly but I expected openbsm/audit would publish all syscalls. My subscriber is watching connect and bind calls.
manu

manu

11/15/2019, 5:55 AM
@thor also had some partial changes in his branch related to ETW for evented tables. https://github.com/muffins/osquery/commits/win-etw-publisher
thor

thor

11/15/2019, 5:59 AM
Ah yeah, I really wanted that to take off but honestly I think the better path forward would be to try and get KrabsETW integrated with osquery and leverage that
manu

manu

11/15/2019, 6:01 AM
yeah krabsetw would be a great choice. i had experimented with that in past.
c

Chris B

11/15/2019, 3:25 PM
KrabsETW is awesome. I was able to develop a PoC userland EDR tool with it that monitored like 8 high impact windows events in 2-3 weeks. I thought about trying to integrate that but thought maybe it would be too heavy.
3:27 PM
I was just thinking how awesome it would be if osquery could monitor things like PowerShell, WMI, service changes, and task scheduler out of the box instead of having to make all the complex group policy changes in Windows audit configuration.
packetzero

packetzero

11/15/2019, 3:41 PM
KrabsETW is great and it covers all the different conditions. I originally looked at using it for events provider. However I was scared away by the size and use of schema and TDH lib to parse out all the properties. For an event source, you want to filter out and use only what you need. For that reason, I opted for direct use of ETW data structures and only parsing what is needed. One of these days I need to do some performance analysis and see if the Krabs overhead is insignificant.
c

Chris B

11/15/2019, 4:08 PM
In theory I feel using ETW directly via TDH would be the way to go. When I was developing I used Microsoft message analyzer and it’s plugin for ETW event subscribers to help create the data filters and parse the fields I needed.
4:09 PM
And yeah I am not sure about the weight of krabsetw but i remember it seemed very heavy at the time. Also in some ways it was convenient but there were instances where the extra layer of abstraction actually complicated things when I wanted to pull/parse data that wasn’t supported by krabsetw yet.
4:11 PM
But yeah agree that it is a pretty intimidating task!
manu

manu

11/15/2019, 4:42 PM
Evented tables will tend to be heavy and with proper filters and control flags one can keep these tables usable. But either ways having these tables within core would be great addition without the need for some other agent like sysmon or extension when osquery is already installed.