Windows 10 ETW Events

Events from all manifest-based and mof-based ETW providers across Windows 10 versions

Version	Events	Manifest Providers	MOF Providers	Unknown Providers
1511	43,319	811	195	24
1607	45,569	830	193	23
1703	46,532	842	194	31
1709	47,687	854	193	28
1803	48,226	855	192	29
1809	49,080	863	190	25
1903	49,734	867	187	24
1909	49,773	868	187	24
2004	50,391	871	187	25
2009	50,399	872	187	25
21H1	50,505	871	187	28
21H2	51,696	876	187	25

Want the data in a different format?

Roberto Rodriguez @Cyb3rWard0g

https://github.com/hunters-forge/OSSEM/tree/master/data_dictionaries/windows/etw/json - JSON
https://github.com/hunters-forge/OSSEM/tree/yaml/data_dictionaries/yaml/windows - YAML

Microsoft

https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
How do I detect technique X in Windows?, DerbyCon 2019
https://github.com/mattifestation/WindowsEventLogMetadata
https://gist.github.com/mattifestation/04e8299d8bc97ef825affe733310f7bd - NiftyETWProviders.json
https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658 - TLGMetadataParser.psm1

Nasreddine Bencherchali @nasbench

https://github.com/nasbench/ETW-Resources#blogs--research-httpsnasbenchmediumcom
https://github.com/nasbench/ETW-Resources - XML manifests

Zac Brown @zacbrown

https://zacbrown.org/2017/04/11/hidden-treasure-intrusion-detection-with-etw-part-1
https://zacbrown.org/2017/05/9/hidden-treasure-intrusion-detection-with-etw-part-2
https://github.com/zacbrown/hiddentreasure-etw-demo

Ruben Boonen @FuzzySec

https://www.fireeye.com/blog/threat-research/2019/03/silketw-because-free-telemetry-is-free.html
https://github.com/fireeye/SilkETW

Pavel Yosifovich @zodiacon

Elias Bachaalany @0xeb