1 of 19

Improving Osquery Visibility with Windows ETW

Marcos Oviedo

2 of 19

Agenda

  • About me
  • Why improving visibility on Windows
  • An idea to approach this problem
  • ETW Overview
  • Target Usecases
  • Osquery Integration

3 of 19

About Me

Marcos Oviedo - @marcosd4h

�Infosec Nerd based on Argentina

�I love OS internals and native applications. I’ve been working as a Windows Endpoint Engineer for the last few years.

�I also presented open-source tools and security research at different cons. ��I’m quite new to Osquery, so please bear with me :)

4 of 19

Why improving visibility on Windows

  • The Windows threat landscape is rapidly evolving, and the visibility provided by Osquery should be able to grow as well�
  • Osquery on Windows is suitable for providing current state of the endpoint, but not so good for giving past execution context information
    • Think of processes starting and terminating between two queries.�
  • The lack of Windows Osquery visibility is a problem that has been addressed in the field by coupling Osquery with external tools
    • Osquery + Sysmon
    • Osquery + EPP/EDR products (CarbonBlack)
    • Osquery + OSS/Custom tools

5 of 19

An idea to approach this problem

  • One way to improve the endpoint visibility on Windows is by having more windows evented tables.
    • Evented tables provide a great way to expose endpoint past behavior�
  • It would be great if these tables can grow over time without much effort, so new optics can be added on each Osquery release.
    • Ideally, there should be a common component to handle how visibility events are collected, filtered, and published internally.
    • Then work is around extending the provider to collect new data and then add a new subscriber to handle and present this data.�
  • Enter Event Trace for Windows (ETW)

6 of 19

ETW Overview

  • ETW is a general-purpose, high-performance tracing facility provided by the Windows operating system capable of logging events from kernel and user-space applications
  • ETW Features
    • Builtin and system-wide �functionality already available �since Windows 7
    • Dynamically adjustable
    • High-speed logging
    • Standardized
    • Continual Features Growth
    • It does not require rebooting
    • It does not require driver �installation
    • It does not require �any hardware features
    • Used by multiple security vendors on EDRs and EPPs products

7 of 19

Target Usecases

New Table Name: etw_process_events

�Goal: Track process related events ��Target Usecases:

  • Process Creation
  • Process Termination

�Provider Name:

  • Microsoft-Windows-Kernel-Process

Table Information��ProcessID�Timestamp�Parent ProcessID�SessionID

Command Line�Image Name

Current Directory�LogonID�Integrity Level

Process Access Type

Process Token Elevation�Process Token Elevation Type�Process Token Mandatory Label�

8 of 19

Target Usecases (contd)

New Table Name: etw_pe_image_events

�Goal: Track DLL and Drivers related events ��Target Usecases:

  • Track DLL and Driver loads and unloads

�Provider Name:

  • Microsoft-Windows-Kernel-Process

Table Information��ProcessID�Timestamp

Image Name�Image Size�Image Base�Image Load Status

���

9 of 19

Target Usecases (contd)

New Table Name: etw_file_events

�Goal: Track file related events ��Target Usecases:

  • File writes
  • File deletions
  • File renames
  • Security attributes change

Provider Name:

  • Microsoft-Windows-Kernel-File

Table Information��ProcessID�Timestamp�File Name

File Create Options

File Attributes Create

Info Class

Target File (rename)��

10 of 19

Target Usecases (contd)

New Table Name: etw_registry_events

�Goal: Track registry related events ��Target Usecases:

  • Registry writes
  • Registry deletions
  • Registry renames
  • Security attributes change

Provider Name:

  • Microsoft-Windows-Kernel-Registry

Table Information��ProcessID�Timestamp�Base Key Name

Base Key Value

Info Class�Target Key Name (rename)�Target Key Value (rename)��

11 of 19

Target Usecases (contd)

New Table Name: etw_network_connection_events

�Goal: Track network related events ��Target Usecases:

  • Established Network Connections
  • Rejected Network Connections
  • Disconnected Network Connections

Provider Name:

  • Microsoft-Windows-Kernel-Network

Table Information��ProcessID�Timestamp�User�Protocol�Source IP�Target IP�Source Port�Target Port�Connection ID

12 of 19

Target Usecases (contd)

New Table Name: etw_dns_events

�Goal: Track DNS related events ��Target Usecases:

  • Tracking of DNS queries by process�

Provider Name:

  • Microsoft-Windows-DNS-Client

Table Information��ProcessID�Timestamp�Query Name�Query Status�Query Results�Image

13 of 19

Target Usecases (contd)

New Table Name: etw_smb_events

�Goal: Track SMB related events ��Target Usecases:

  • Detect lateral movement using SMB Named Pipes�

Provider Name:

  • Microsoft-Windows-SMBClient

Table Information��ProcessID�TimestampSource IP�Target IP�Pipe Name�Target Path�

14 of 19

Interesting ETW Providers

  • Microsoft-Windows-CodeIntegrity: Integrity of PE files�
  • Microsoft-Antimalware-Protection: Endpoint Security events�
  • Microsoft-Windows-Security-Mitigations: Exploit Prevention events�
  • Microsoft-Windows-TerminalServices-LocalSessionManager: Remote Desktop events�
  • Microsoft-Windows-PowerShell: Powershell events

15 of 19

Interesting ETW Providers (contd)

  • Microsoft-Windows-Services-Svchost: Windows Services related events�
  • Microsoft-Windows-LDAP-Client: LDAP/AD related events�
  • Microsoft-Windows-Winlogon: Logon/Logoff/Session related events�
  • Microsoft-Windows-Winsock-Sockets: Sockets related events�
  • Microsoft-Windows-DotNETRuntime: Detect usage of .net offensive tradecraft�
  • And many many more!

16 of 19

Osquery Integration

17 of 19

Challenges

  • Handing filtering and DB performance issues
  • Support ETW manifest versions
  • Issues with evented framework that might popup

18 of 19

Questions?�Thanks!

19 of 19

ETW OS Providers on Windows

  • There are ETW probes all over the Windows OS stack. In addition, third-party apps can also register and produce their own providers.�
  • The latest Windows 10 versions have over +50k events generated by +1k providers.�
  • There 4 types of events that can be generated.
    • For our purposes, we are just focusing on Manifest and MOF based providers (known-schema)�
  • Linux has eBPF, Audit, and Dtrace as equivalent tracing sources. MacOS has OpenBSM and Endpoint Security tracing for security events as equivalent tracing sources.

Evolution of Windows 10 ETW providers��Source here and here