Detecting-Adversarial-Tradecrafts-Tools-by-leveraging-ETW icon indicating copy to clipboard operation
Detecting-Adversarial-Tradecrafts-Tools-by-leveraging-ETW copied to clipboard

verified publisher icon RedTeamOperations

Metadata

CyberWarFare Labs hands-on workshop on the topic "Detecting Adversarial Tradecrafts/Tools by leveraging ETW"

trafficstars

Detecting-Adversarial-Tradecrafts-Tools-by-leveraging-ETW

:warning: The workshop is still in Progress, more tools and modules will be added in the upcoming weeks as they are covered.

This is an image

To setup HELK, please refer the following Video : https://drive.google.com/drive/folders/11ELLPmjHy6c3IuV9MJAlWMif0Y2kXlEq

Workshop Outline

  • [X] ETW Basics and Setup with HELK
  • [X] Playing around with multiple ETW Providers
  • [X] Weaponizing ETW-TI for Detection
  • [X] Detecting various "Defense Evasion" Techniques (PPID Spoofing)
  • [ ] Detecting various "Defense Evasion" Techniques (Command Line Spoofing)
  • [ ] Detecting .NET Tools and Attack Techniques (AppDomain Abuse, SharpPick etc.)
  • [ ] Detecting LOLBAS, BYOL & BYOI Techniques
  • [ ] Detecting Techniques leveraged by various C2 Agents

Tools Used

HELK : https://github.com/Cyb3rWard0g/HELK SilkETW : https://github.com/mandiant/SilkETW Sealighter (v1.5) : https://github.com/pathtofile/Sealighter WEPExplorer : https://github.com/lallousx86/WinTools/tree/master/WEPExplorer ETW-Event-Dumper : https://github.com/woanware/etw-event-dumper

Metadata

37
Stars
12
Forks
Watchers

Owner

verified publisher icon RedTeamOperations

Metadata

CyberWarFare Labs hands-on workshop on the topic "Detecting Adversarial Tradecrafts/Tools by leveraging ETW"

Back