/Detecting-Adversarial-Tradecrafts-Tools-by-leveraging-ETW

CyberWarFare Labs hands-on workshop on the topic "Detecting Adversarial Tradecrafts/Tools by leveraging ETW"

Apache License 2.0Apache-2.0

Detecting-Adversarial-Tradecrafts-Tools-by-leveraging-ETW

⚠️ The workshop is still in Progress, more tools and modules will be added in the upcoming weeks as they are covered.

This is an image

To setup HELK, please refer the following Video : https://drive.google.com/drive/folders/11ELLPmjHy6c3IuV9MJAlWMif0Y2kXlEq

Workshop Outline

  • ETW Basics and Setup with HELK
  • Playing around with multiple ETW Providers
  • Weaponizing ETW-TI for Detection
  • Detecting various "Defense Evasion" Techniques (PPID Spoofing)
  • Detecting various "Defense Evasion" Techniques (Command Line Spoofing)
  • Detecting .NET Tools and Attack Techniques (AppDomain Abuse, SharpPick etc.)
  • Detecting LOLBAS, BYOL & BYOI Techniques
  • Detecting Techniques leveraged by various C2 Agents

Tools Used

HELK : https://github.com/Cyb3rWard0g/HELK
SilkETW : https://github.com/mandiant/SilkETW
Sealighter (v1.5) : https://github.com/pathtofile/Sealighter
WEPExplorer : https://github.com/lallousx86/WinTools/tree/master/WEPExplorer
ETW-Event-Dumper : https://github.com/woanware/etw-event-dumper