Monday, February 17, 2025
HomeForensics ToolsSilkETW - New Free Threat Intelligence Tool to Capture and Analyze Windows...

SilkETW – New Free Threat Intelligence Tool to Capture and Analyze Windows Events Logs

Published on

SIEM as a Service

Follow Us on Google News

SilkETW is a flexible tool aimed to reduce the complexities of ETW(Event Tracing for Windows) and to put actionable data in the hands of researches on both the defensive and offensive side.

ETW is a kernel-level tracing facility that allows tracing the kernel logs or application-defined events logs. SilkETW makes the job straightforward by providing an interface for data collection, various filtering mechanics, and an output format that can be easily processed.

“SilkETW is not solely a defensive tool. ETW data can be used for diagnostics, it can help in reverse engineering, vulnerability research, detection, and evasion.”

SilkETW

SilkETW developed by FireEye, it provides a simple interface to record trace data and the output can be extracted is JSON format.

The extracted data can be imported to PowerShell locally or to 3rd party infrastructure such as Elasticsearch for event filtering.

The tool is developed.Net v4.5, a number of 3rd party libraries and Yara functionality to filter or tag event data.

https://twitter.com/FireEye/status/1108405586595627013

By having the data in hand it is easy to filter the exact event that you want to trace, here researchers demonstrated by identifying a Mimikatz execution.

Also, the SilkETW includes a number of command line flags that allow the user to restrict the events that are captured.

It includes the following capabilities such as event name, the process ID, the process name, and the opcode.

The data collection can be triggered by using the command .NET ETW data and the “-yo” option here indicates that it will write only the Yara matches to file.

SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -l verbose -y
C:\Users\b33f\Desktop\yara -yo matches -ot file -p C:\Users\b33f\Desktop\yara.json

SilkETW is currently research focused data-collection tool with robust yet rudimentary capabilities. the tool can be downloaded on GitHub.

Learn : Complete Hacking Tools in Kali Linux Operating System

Also Read:

A Complete Penetration Testing & Hacking Tools List for Hackers & Security Professionals

Most Important Security Tools and Resources For Security Researcher and Malware Analyst

fsociety a Complete Hacking Tools pack that a Hacker Needs – Penetration Testing Framework

These are the Top 5 Publicly Available Hacking Tools Mostly used By Hackers

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Android’s New Security Feature Prevents Sensitive Setting Changes During Calls

Phone scams are becoming more sophisticated with advancements in AI-driven speech tools, making it...

Hackers Exploit Microsoft Teams Invites to Gain Unauthorized Access

The Microsoft Threat Intelligence Center (MSTIC) has uncovered an ongoing and sophisticated phishing campaign...

Meta’s Bug Bounty Initiative Pays $2.3 Million to Security Researchers in 2024

Meta's commitment to cybersecurity took center stage in 2024 as the tech giant awarded...

Google Chrome Introduces AI to Block Malicious Websites and Downloads

Google has taken a significant step in enhancing internet safety by integrating artificial intelligence...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Cl0p Ransomware Hide Itself on Compromised Networks After Exfiltrate the Data

The Cl0p ransomware group, a prominent player in the cybercrime landscape since 2019, has...

Ratatouille Malware Bypass UAC Control & Exploits I2P Network to Launch Cyber Attacks

A newly discovered malware, dubbed "Ratatouille" (or I2PRAT), is raising alarms in the cybersecurity...

Hackers Exploit 3,000 ASP.NET Machine Keys to Hack IIS Web Servers Remotely

Microsoft has raised alarms about a new cyber threat involving ViewState code injection attacks...