SilkETW: Because Free Telemetry is…Free!

In the following example, we will collect process event data from the Kernel provider and use image loads to identify Mimikatz execution. We can collect the required data with this command:

SilkETW.exe -t kernel -kk ImageLoad -ot file -p C:Usersb33fDesktopmimikatz.json

With data in hand it is easy to sort, grep and filter for the properties we are interested in (Figure 2).

Figure 2: PowerShell event filtering

Yara Integration

SilkETW has a number of command line flags that allow the user to restrict the events that are captured. These include the event name, the process ID, the process name, and the opcode. To further enhance this capability, Yara support is included to filter or tag trace events. While Yara has immediate defensive connotations, the reader is reminded that Yara rules are equally useful to augment research capabilities.

In the following contrived example we will use a Yara rule to detect Seatbelt execution in memory through Cobalt Strike’s execute-assembly.

rule Seatbelt_GetTokenInformation {     strings:         $s1 = "ManagedInteropMethodName=GetTokenInformation" ascii wide nocase         $s2 = "TOKEN_INFORMATION_CLASS" ascii wide nocase         $s3 = /bool(native int,valuetype w+.w+/w+,native int,int32,int32&/         $s4 = "locals (int32,int64,int64,int64,int64,int32& pinned,bool,int32)" ascii wide nocase     condition:         all of ($s*) }

We can start collecting .NET ETW data with the following command (note here the “-yo” option indicating that we will only write the Yara matches to file!):

SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -l verbose -y C:Usersb33fDesktopyara -yo matches -ot file -p C:Usersb33fDesktopyara.json

We can see at runtime that our Yara rule was hit (Figure 3).

Figure 3: Yara rule hit

Note also that we are only capturing a subset of the “Microsoft-Windows-DotNETRuntime” events (0x2038), specifically: JitKeyword, InteropKeyword, LoaderKeyword and NGenKeyword.

Roadmap

As outlined in the introduction, SilkETW is currently a research focused data-collection tool with robust yet rudimentary capabilities. Upcoming changes for SilkETW include, but are not limited to:

• Offer users the option to write trace data to disk as *.etl files.
• Create a separate instance of SilkETW that operates in a headless mode as a service and reads a configuration file.
• Take input from the community on any features that would be beneficial to ETW research.

GitHub

SilkETW is currently available for download on GitHub.

Acknowledgement

Special thanks to the whole Advanced Practices team – and Nick Carr in particular – for their indulgence of my antics! Thanks also to Stephen Davis, Anthony Berglund and Kevin Boyd of the FireEye Labs and Data Science teams for their help on reviewing this project and their prior work on pywintrace. If you are looking for Python ETW bindings you can use programmatically, definitely check out that project.