SilkETW is a flexible tool aimed to reduce the complexities of ETW(Event Tracing for Windows) and to put actionable data in the hands of researches on both the defensive and offensive side.
ETW is a kernel-level tracing facility that allows tracing the kernel logs or application-defined events logs. SilkETW makes the job straightforward by providing an interface for data collection, various filtering mechanics, and an output format that can be easily processed.
“SilkETW is not solely a defensive tool. ETW data can be used for diagnostics, it can help in reverse engineering, vulnerability research, detection, and evasion.”
SilkETW developed by FireEye, it provides a simple interface to record trace data and the output can be extracted is JSON format.
The extracted data can be imported to PowerShell locally or to 3rd party infrastructure such as Elasticsearch for event filtering.
The tool is developed.Net v4.5, a number of 3rd party libraries and Yara functionality to filter or tag event data.
By having the data in hand it is easy to filter the exact event that you want to trace, here researchers demonstrated by identifying a Mimikatz execution.
Also, the SilkETW includes a number of command line flags that allow the user to restrict the events that are captured.
It includes the following capabilities such as event name, the process ID, the process name, and the opcode.
The data collection can be triggered by using the command .NET ETW data and the “-yo” option here indicates that it will write only the Yara matches to file.
SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -l verbose -y
C:\Users\b33f\Desktop\yara -yo matches -ot file -p C:\Users\b33f\Desktop\yara.json
SilkETW is currently research focused data-collection tool with robust yet rudimentary capabilities. the tool can be downloaded on GitHub.
Learn : Complete Hacking Tools in Kali Linux Operating System
Also Read:
A Complete Penetration Testing & Hacking Tools List for Hackers & Security Professionals
Most Important Security Tools and Resources For Security Researcher and Malware Analyst
fsociety a Complete Hacking Tools pack that a Hacker Needs – Penetration Testing Framework
These are the Top 5 Publicly Available Hacking Tools Mostly used By Hackers
Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…
Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…
The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…
Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…
Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…
Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…