✨
Tech Stuff
  • Welcome
  • Threat Hunting
    • Learning ETW
      • Logman
      • SilkETW
      • Apply ETW to Windows Event (1)
    • Learning win32evtlog in python
  • Attack Simulation
    • Atomic Red Team
  • Tools
    • Windows Events Providers Explorer
    • FRIDA for iOS app penetration testing
  • Windows Security
    • User Account Control (UAC)
      • UAC Bypass
  • Windows OS Penetration Testing
    • Metasploit
    • PowerShell
    • Bloodhound
  • Unorganized Python
  • Python - pexpect
  • Python - subprocess for Windows
  • Parsing evtx to json
  • Python - Pykd
  • Workflow
    • Kali Linux on Docker
Powered by GitBook
On this page
  • Useful commands
  • Practical usage

Was this helpful?

  1. Threat Hunting
  2. Learning ETW

Logman

Logman is a command line utility comes out-of-the-box. It is a controllers that allow you to explore existing trace sessions and ETW providers.

Useful commands

> logman query -ets #List all running trace sessions
> logman qeury "EventLog-Application" -ets #List all providers that trace session is subscribed to 
> logman query providers -pid 1111 #Viewing all providers that a specific process is sending events to

Practical usage

When you started an hypothesis for a hunt, you want to know how to capture all necessary tracks. Using logman to get you the clarity of where to find your tracks. For example, in your hypothesis that the attacker is going to use powershell to execute the payload. What kind of data sources you could use except "Microsoft-Windows-PowerShell"?

In that case, we may open up a powershell in your environment and capture its pid. 

> tasklist | findstr powershell

powershell.exe                9184 Console                    3     90,912 K

Then using logman to find out what ETW providers that the process associated with

> logman query providers -pid 9184


Provider                                 GUID

-------------------------------------------------------------------------------

.NET Common Language Runtime             {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}

Microsoft-Antimalware-Protection         {E4B70372-261F-4C54-8FA6-A5A7914D73DA}

Microsoft-Antimalware-Scan-Interface     {2A576B87-09A7-520E-C21A-4942F0271D67}

Microsoft-IEFRAME                        {5C8BB950-959E-4309-8908-67961A1205D5}

Microsoft-Windows-Application-Experience {EEF54E71-0661-422D-9A98-82FD4940B820}

Microsoft-Windows-AppModel-Runtime       {F1EF270A-0D32-4352-BA52-DBAB41E1D859}

Microsoft-Windows-AsynchronousCausality  {19A4C69A-28EB-4D4B-8D94-5F19055A1B5C}

Microsoft-Windows-CAPI2                  {5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}

Microsoft-Windows-COM-Perf               {B8D6861B-D20F-4EEC-BBAE-87E0DD80602B}

Microsoft-Windows-COM-RundownInstrumentation {2957313D-FCAA-5D4A-2F69-32CE5F0AC44E}

Microsoft-Windows-Crypto-BCrypt          {C7E089AC-BA2A-11E0-9AF7-68384824019B}

Microsoft-Windows-Crypto-RSAEnh          {152FDB2B-6E9D-4B60-B317-815D5F174C4A}

Microsoft-Windows-Deplorch               {B9DA9FE6-AE5F-4F3E-B2FA-8E623C11DC75}
...
...
PreviousLearning ETWNextSilkETW

Last updated 4 years ago

Was this helpful?