Logman

Logman is a command line utility comes out-of-the-box. It is a controllers that allow you to explore existing trace sessions and ETW providers.

Useful commands

> logman query -ets #List all running trace sessions
> logman qeury "EventLog-Application" -ets #List all providers that trace session is subscribed to 
> logman query providers -pid 1111 #Viewing all providers that a specific process is sending events to

Practical usage

When you started an hypothesis for a hunt, you want to know how to capture all necessary tracks. Using logman to get you the clarity of where to find your tracks. For example, in your hypothesis that the attacker is going to use powershell to execute the payload. What kind of data sources you could use except "Microsoft-Windows-PowerShell"?

In that case, we may open up a powershell in your environment and capture its pid.

> tasklist | findstr powershell
powershell.exe                9184 Console                    3     90,912 K

Then using logman to find out what ETW providers that the process associated with

> logman query providers -pid 9184
Provider                                 GUID
-------------------------------------------------------------------------------
.NET Common Language Runtime             {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}
Microsoft-Antimalware-Protection         {E4B70372-261F-4C54-8FA6-A5A7914D73DA}
Microsoft-Antimalware-Scan-Interface     {2A576B87-09A7-520E-C21A-4942F0271D67}
Microsoft-IEFRAME                        {5C8BB950-959E-4309-8908-67961A1205D5}
Microsoft-Windows-Application-Experience {EEF54E71-0661-422D-9A98-82FD4940B820}
Microsoft-Windows-AppModel-Runtime       {F1EF270A-0D32-4352-BA52-DBAB41E1D859}
Microsoft-Windows-AsynchronousCausality  {19A4C69A-28EB-4D4B-8D94-5F19055A1B5C}
Microsoft-Windows-CAPI2                  {5BBCA4A8-B209-48DC-A8C7-B23D3E5216FB}
Microsoft-Windows-COM-Perf               {B8D6861B-D20F-4EEC-BBAE-87E0DD80602B}
Microsoft-Windows-COM-RundownInstrumentation {2957313D-FCAA-5D4A-2F69-32CE5F0AC44E}
Microsoft-Windows-Crypto-BCrypt          {C7E089AC-BA2A-11E0-9AF7-68384824019B}
Microsoft-Windows-Crypto-RSAEnh          {152FDB2B-6E9D-4B60-B317-815D5F174C4A}
Microsoft-Windows-Deplorch               {B9DA9FE6-AE5F-4F3E-B2FA-8E623C11DC75}
...
...

PreviousLearning ETW NextSilkETW

Last updated 4 years ago

Was this helpful?