#etw — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #etw, aggregated by home.social.
-
@BlumeEvolution @steffensmile @Teh_Doc_Inan @solaris
a) das Beispiel teure Kaffeemaschine für Kaffeebohnen (arme Studis müssen Pads nehmen) ist nicht lebenspraktisch, da Studis ja auch gemahlenen Kaffee, Filtertüren, preiswerte Kaffeemaschinen benutzen können (Kaffeesatz als Dünger für Pflanzen)☕
b) vielen Vermietern fehlen die Mittel zur Umrüstung auf...🏘️ 💶
c) Besitzer*innen #ETW müssen sich Abstimmungsergebnissen beugen - sitzen also auch in Fallen (#Heizung #Gemeinschaftseigentum)
-
@BlumeEvolution @steffensmile @Teh_Doc_Inan @solaris
a) das Beispiel teure Kaffeemaschine für Kaffeebohnen (arme Studis müssen Pads nehmen) ist nicht lebenspraktisch, da Studis ja auch gemahlenen Kaffee, Filtertüren, preiswerte Kaffeemaschinen benutzen können (Kaffeesatz als Dünger für Pflanzen)☕
b) vielen Vermietern fehlen die Mittel zur Umrüstung auf...🏘️ 💶
c) Besitzer*innen #ETW müssen sich Abstimmungsergebnissen beugen - sitzen also auch in Fallen (#Heizung #Gemeinschaftseigentum)
-
@BlumeEvolution @steffensmile @Teh_Doc_Inan @solaris
a) das Beispiel teure Kaffeemaschine für Kaffeebohnen (arme Studis müssen Pads nehmen) ist nicht lebenspraktisch, da Studis ja auch gemahlenen Kaffee, Filtertüren, preiswerte Kaffeemaschinen benutzen können (Kaffeesatz als Dünger für Pflanzen)☕
b) vielen Vermietern fehlen die Mittel zur Umrüstung auf...🏘️ 💶
c) Besitzer*innen #ETW müssen sich Abstimmungsergebnissen beugen - sitzen also auch in Fallen (#Heizung #Gemeinschaftseigentum)
-
@BlumeEvolution @steffensmile @Teh_Doc_Inan @solaris
a) das Beispiel teure Kaffeemaschine für Kaffeebohnen (arme Studis müssen Pads nehmen) ist nicht lebenspraktisch, da Studis ja auch gemahlenen Kaffee, Filtertüren, preiswerte Kaffeemaschinen benutzen können (Kaffeesatz als Dünger für Pflanzen)☕
b) vielen Vermietern fehlen die Mittel zur Umrüstung auf...🏘️ 💶
c) Besitzer*innen #ETW müssen sich Abstimmungsergebnissen beugen - sitzen also auch in Fallen (#Heizung #Gemeinschaftseigentum)
-
@BlumeEvolution @steffensmile @Teh_Doc_Inan @solaris
a) das Beispiel teure Kaffeemaschine für Kaffeebohnen (arme Studis müssen Pads nehmen) ist nicht lebenspraktisch, da Studis ja auch gemahlenen Kaffee, Filtertüren, preiswerte Kaffeemaschinen benutzen können (Kaffeesatz als Dünger für Pflanzen)☕
b) vielen Vermietern fehlen die Mittel zur Umrüstung auf...🏘️ 💶
c) Besitzer*innen #ETW müssen sich Abstimmungsergebnissen beugen - sitzen also auch in Fallen (#Heizung #Gemeinschaftseigentum)
-
A room with a view🏖
Das ist die Aussicht aus des Mannes Kammer. Ein 70er Wohnschachtel-Dings mit Kratzputz. Mitten zwischen Gärten und Gründerzeit-Häuser gepflanzt. Einfach so. Plopp. Wenn man keinen Bock auf Häuser entwerfen hat, kann man doch was anderes machen ... Kammerjäger oder Kampfmittelräumdienst ... wird auch gebraucht und entspricht evtl mehr der persönlichen Neigung.
-
📢 Fuzzing récursif des structures MS-RPC avec ETW : escalade de privilèges vers SYSTEM
📝 ## 🔍 ContexteArticle technique publié le 4 mai 2026 par Remco van der Meer sur incendium.rocks, présentant des mises à jour...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-06-fuzzing-recursif-des-structures-ms-rpc-avec-etw-escalade-de-privileges-vers-nt-authority-system/
🌐 source : https://www.incendium.rocks/posts/Fuzzing-MS-RPC-structures-and-monitoring/
#ETW #IOC #Cyberveille -
FortiGuard IR researchers have highlighted unexpected forensic value in the AutoLogger-Diagtrack-Listener.etl file on modern Windows systems.
Despite low exploitation severity, the artefact has shown the ability to preserve historical process-execution data, including deleted binaries and command-line traces — helpful in ransomware investigations.
What’s your view on ETW-based artefacts in DFIR workflows?
Share your insights and follow us for more clear, unbiased analysis.
#InfoSec #DFIR #ThreatIntel #WindowsForensics #ETW #Telemetry #CyberSecurity #IncidentResponse #SecurityResearch #ThreatAnalysis
-
FortiGuard IR researchers have highlighted unexpected forensic value in the AutoLogger-Diagtrack-Listener.etl file on modern Windows systems.
Despite low exploitation severity, the artefact has shown the ability to preserve historical process-execution data, including deleted binaries and command-line traces — helpful in ransomware investigations.
What’s your view on ETW-based artefacts in DFIR workflows?
Share your insights and follow us for more clear, unbiased analysis.
#InfoSec #DFIR #ThreatIntel #WindowsForensics #ETW #Telemetry #CyberSecurity #IncidentResponse #SecurityResearch #ThreatAnalysis
-
FortiGuard IR researchers have highlighted unexpected forensic value in the AutoLogger-Diagtrack-Listener.etl file on modern Windows systems.
Despite low exploitation severity, the artefact has shown the ability to preserve historical process-execution data, including deleted binaries and command-line traces — helpful in ransomware investigations.
What’s your view on ETW-based artefacts in DFIR workflows?
Share your insights and follow us for more clear, unbiased analysis.
#InfoSec #DFIR #ThreatIntel #WindowsForensics #ETW #Telemetry #CyberSecurity #IncidentResponse #SecurityResearch #ThreatAnalysis
-
Hm, im #KüchenRegal war weniger Marmelade zu finden als gedacht; und #Nudelsoße muß ich dringend kaufen. Fünf Kilogramm #ETW (EierTeigWaren) sollten eine Weile reichen.
-
Hm, im #KüchenRegal war weniger Marmelade zu finden als gedacht; und #Nudelsoße muß ich dringend kaufen. Fünf Kilogramm #ETW (EierTeigWaren) sollten eine Weile reichen.
-
🦠 Malware Analysis
===================🦠 Malware Analysis
Executive summary: A recently observed campaign leverages malicious
Windows shortcut files (.LNK) distributed via Discord to deliver a
multi‑functional Remote Access Trojan (RAT). The LNK triggers a hidden
PowerShell that extracts a ZIP (Moq.zip) containing a malicious DLL
and executes it through the legitimate binary odbcconf.exe, a
Living‑off‑the‑Land Binary (LOLBin), to evade detection.Technical details:
• The shortcut named Cyber security.lnk opens an embedded decoy PDF
Cyber security.pdf while running a PowerShell payload in hidden mode
(via a headless conhost.exe).
• The PowerShell creates a working path (Temp and a Nuget folder under
Public), extracts an embedded PDF and the ZIP archive, then drops
Moq.zip and a malicious DLL.
• Execution is handed to odbcconf.exe to load the DLL, enabling
process execution without spawning visible consoles.
• The RAT collects system/antivirus information, attempts AMSI
bypasses, and patches EtwEventWrite to impair Windows Event Tracing
(ETW).🔹 Attack Chain Analysis
1. Initial Access (LNK): User opens Cyber security.lnk from Discord —
triggers hidden PowerShell (MITRE: T1204.002).
2. Download/Stage: PowerShell extracts embedded PDF and Moq.zip into
Temp/Public\Nuget.
3. Execution via LOLBin: odbcconf.exe is used to load the dropped DLL
(MITRE: T1218 — System Binary Proxy Execution).
4. Persistence/Control: Malicious DLL implements RAT behaviors,
including remote commands and reconnaissance.
5. Defense Evasion: AMSI bypass and EtwEventWrite patching (Impair
Defenses) reduce telemetry and impede detection.Detection guidance:
• Monitor process trees where odbcconf.exe is launched from atypical
parents (PowerShell/conhost).
• Alert on hidden PowerShell instances extracting embedded files and
writing PDFs from LNK streams.
• Watch for API patching attempts around EtwEventWrite and AMSI
initialization failures.Mitigation:
• Restrict execution of unsigned Office/shortcut attachments from
untrusted channels.
• Apply application control to prevent odbcconf.exe from loading untrusted DLLs.
• Enable telemetry and harden AMSI where possible; monitor ETW integrity.References/Notes: Preliminary detections were reported from Israel;
campaign observed distribution via Discord and use of decoy PDFs. #LNK
#RAT #AMSI #ETW #LOLBins -
No Agent, No Problem: Discovering Remote #EDR
https://jonny-johnson.medium.com/no-agent-no-problem-discovering-remote-edr-8ca60596559f
-
No Agent, No Problem: Discovering Remote #EDR
https://jonny-johnson.medium.com/no-agent-no-problem-discovering-remote-edr-8ca60596559f
-
No Agent, No Problem: Discovering Remote #EDR
https://jonny-johnson.medium.com/no-agent-no-problem-discovering-remote-edr-8ca60596559f
-
No Agent, No Problem: Discovering Remote #EDR
https://jonny-johnson.medium.com/no-agent-no-problem-discovering-remote-edr-8ca60596559f
-
No Agent, No Problem: Discovering Remote #EDR
https://jonny-johnson.medium.com/no-agent-no-problem-discovering-remote-edr-8ca60596559f
-
PerfView and TraceEvent 3.1.18
-
PerfView and TraceEvent 3.1.18
-
PerfView and TraceEvent 3.1.18
-
PerfView and TraceEvent 3.1.18
-
PerfView and TraceEvent 3.1.18
-
ETW Forensics - Why use Event Tracing for Windows over EventLog? https://blogs.jpcert.or.jp/en/2024/11/etw_forensics.html
-
ETW Forensics - Why use Event Tracing for Windows over EventLog? https://blogs.jpcert.or.jp/en/2024/11/etw_forensics.html
-
ETW Forensics - Why use Event Tracing for Windows over EventLog? https://blogs.jpcert.or.jp/en/2024/11/etw_forensics.html
-
Три слона, на которых держится логирование в Windows
Продолжаем наш цикл статей о типах и методах работы сборщиков данных с конечных точек, или, как принято их называть – агентов. В первой статье мы познакомились с этой сущностью и изучили основные нюансы сбора данных с их помощью. Так как мы в рамках разработки своих продуктов занимаемся и лог-менеджментом, и сбором событий, то хочется поделиться продолжением нашей обширной аналитики в quickstart формате. Поэтому в этом выпуске подробнее разберем функционал и используемые инструменты источников на ОС Windows.
https://habr.com/ru/companies/securityvison/articles/862352/
#Логирование #сбор_событий #eventlog #журналы_windows #журналы_событий #sysmon #event_tracing_for_windows #event_logging #event_log #etw
-
Три слона, на которых держится логирование в Windows
Продолжаем наш цикл статей о типах и методах работы сборщиков данных с конечных точек, или, как принято их называть – агентов. В первой статье мы познакомились с этой сущностью и изучили основные нюансы сбора данных с их помощью. Так как мы в рамках разработки своих продуктов занимаемся и лог-менеджментом, и сбором событий, то хочется поделиться продолжением нашей обширной аналитики в quickstart формате. Поэтому в этом выпуске подробнее разберем функционал и используемые инструменты источников на ОС Windows.
https://habr.com/ru/companies/securityvison/articles/862352/
#Логирование #сбор_событий #eventlog #журналы_windows #журналы_событий #sysmon #event_tracing_for_windows #event_logging #event_log #etw
-
Три слона, на которых держится логирование в Windows
Продолжаем наш цикл статей о типах и методах работы сборщиков данных с конечных точек, или, как принято их называть – агентов. В первой статье мы познакомились с этой сущностью и изучили основные нюансы сбора данных с их помощью. Так как мы в рамках разработки своих продуктов занимаемся и лог-менеджментом, и сбором событий, то хочется поделиться продолжением нашей обширной аналитики в quickstart формате. Поэтому в этом выпуске подробнее разберем функционал и используемые инструменты источников на ОС Windows.
https://habr.com/ru/companies/securityvison/articles/862352/
#Логирование #сбор_событий #eventlog #журналы_windows #журналы_событий #sysmon #event_tracing_for_windows #event_logging #event_log #etw
-
Три слона, на которых держится логирование в Windows
Продолжаем наш цикл статей о типах и методах работы сборщиков данных с конечных точек, или, как принято их называть – агентов. В первой статье мы познакомились с этой сущностью и изучили основные нюансы сбора данных с их помощью. Так как мы в рамках разработки своих продуктов занимаемся и лог-менеджментом, и сбором событий, то хочется поделиться продолжением нашей обширной аналитики в quickstart формате. Поэтому в этом выпуске подробнее разберем функционал и используемые инструменты источников на ОС Windows.
https://habr.com/ru/companies/securityvison/articles/862352/
#Логирование #сбор_событий #eventlog #журналы_windows #журналы_событий #sysmon #event_tracing_for_windows #event_logging #event_log #etw
-
New blog post! Stack walk profiling NodeJS in Windows: https://blogs.igalia.com/dape/2023/03/14/stack-walk-profiling-nodejs-in-windows/ #etw #webperf cc @igalia (1/4)
-
New blog post! Stack walk profiling NodeJS in Windows: https://blogs.igalia.com/dape/2023/03/14/stack-walk-profiling-nodejs-in-windows/ #etw #webperf cc @igalia (1/4)
-
New blog post! Stack walk profiling NodeJS in Windows: https://blogs.igalia.com/dape/2023/03/14/stack-walk-profiling-nodejs-in-windows/ #etw #webperf cc @igalia (1/4)
-
New blog post! Stack walk profiling NodeJS in Windows: https://blogs.igalia.com/dape/2023/03/14/stack-walk-profiling-nodejs-in-windows/ #etw #webperf cc @igalia (1/4)
-
New blog post! Stack walk profiling NodeJS in Windows: https://blogs.igalia.com/dape/2023/03/14/stack-walk-profiling-nodejs-in-windows/ #etw #webperf cc @igalia (1/4)
-
I’m not sure too many people make content for Empire: Total War these days but I am! And I’m using the excellent Darth Mod to boot https://youtube.com/live/SXJCW7PdQTo?feature=share
-
I’m not sure too many people make content for Empire: Total War these days but I am! And I’m using the excellent Darth Mod to boot https://youtube.com/live/SXJCW7PdQTo?feature=share
-
Last blog post in my native call stack profiling series just published. This time about the work I did this year in #V8 #Windows #ETW stack walk support: https://blogs.igalia.com/dape/2022/12/21/native-call-stack-profiling-3-3-2022-work-in-v8/
In march, V8 ETW support was broken. After fixing a small regression, we could proceed improving readability of the traces, and improving initialization. This @igalia work was sponsored by #Bloomberg.
The overhead in V8 is very small now, making the traces more accurate. This work is available in V8 10.9.0.
-
Last blog post in my native call stack profiling series just published. This time about the work I did this year in #V8 #Windows #ETW stack walk support: https://blogs.igalia.com/dape/2022/12/21/native-call-stack-profiling-3-3-2022-work-in-v8/
In march, V8 ETW support was broken. After fixing a small regression, we could proceed improving readability of the traces, and improving initialization. This @igalia work was sponsored by #Bloomberg.
The overhead in V8 is very small now, making the traces more accurate. This work is available in V8 10.9.0.
-
Last blog post in my native call stack profiling series just published. This time about the work I did this year in #V8 #Windows #ETW stack walk support: https://blogs.igalia.com/dape/2022/12/21/native-call-stack-profiling-3-3-2022-work-in-v8/
In march, V8 ETW support was broken. After fixing a small regression, we could proceed improving readability of the traces, and improving initialization. This @igalia work was sponsored by #Bloomberg.
The overhead in V8 is very small now, making the traces more accurate. This work is available in V8 10.9.0.
-
Last blog post in my native call stack profiling series just published. This time about the work I did this year in #V8 #Windows #ETW stack walk support: https://blogs.igalia.com/dape/2022/12/21/native-call-stack-profiling-3-3-2022-work-in-v8/
In march, V8 ETW support was broken. After fixing a small regression, we could proceed improving readability of the traces, and improving initialization. This @igalia work was sponsored by #Bloomberg.
The overhead in V8 is very small now, making the traces more accurate. This work is available in V8 10.9.0.
-
Last blog post in my native call stack profiling series just published. This time about the work I did this year in #V8 #Windows #ETW stack walk support: https://blogs.igalia.com/dape/2022/12/21/native-call-stack-profiling-3-3-2022-work-in-v8/
In march, V8 ETW support was broken. After fixing a small regression, we could proceed improving readability of the traces, and improving initialization. This @igalia work was sponsored by #Bloomberg.
The overhead in V8 is very small now, making the traces more accurate. This work is available in V8 10.9.0.
-
Just published the second blog post in my native call stack profiling series, about Event Tracing for Windows and #Chromium: https://blogs.igalia.com/dape/2022/11/29/native-call-stack-profiling-2-3-event-tracing-for-windows-and-chromium/
#ETW is the native tracing/profiling tool in #Windows. It samples stack traces for further analysis. #V8 assists providing information of the JIT-compiled functions, then available for stack walk analysis.
Big thanks to @[email protected], for his series of blog posts about performance analysis, and for writing #UIForETW. https://github.com/google/UIforETW
-
Just published the second blog post in my native call stack profiling series, about Event Tracing for Windows and #Chromium: https://blogs.igalia.com/dape/2022/11/29/native-call-stack-profiling-2-3-event-tracing-for-windows-and-chromium/
#ETW is the native tracing/profiling tool in #Windows. It samples stack traces for further analysis. #V8 assists providing information of the JIT-compiled functions, then available for stack walk analysis.
Big thanks to @[email protected], for his series of blog posts about performance analysis, and for writing #UIForETW. https://github.com/google/UIforETW
-
Just published the second blog post in my native call stack profiling series, about Event Tracing for Windows and #Chromium: https://blogs.igalia.com/dape/2022/11/29/native-call-stack-profiling-2-3-event-tracing-for-windows-and-chromium/
#ETW is the native tracing/profiling tool in #Windows. It samples stack traces for further analysis. #V8 assists providing information of the JIT-compiled functions, then available for stack walk analysis.
Big thanks to @[email protected], for his series of blog posts about performance analysis, and for writing #UIForETW. https://github.com/google/UIforETW
-
Just published the second blog post in my native call stack profiling series, about Event Tracing for Windows and #Chromium: https://blogs.igalia.com/dape/2022/11/29/native-call-stack-profiling-2-3-event-tracing-for-windows-and-chromium/
#ETW is the native tracing/profiling tool in #Windows. It samples stack traces for further analysis. #V8 assists providing information of the JIT-compiled functions, then available for stack walk analysis.
Big thanks to @[email protected], for his series of blog posts about performance analysis, and for writing #UIForETW. https://github.com/google/UIforETW
-
Just published the second blog post in my native call stack profiling series, about Event Tracing for Windows and #Chromium: https://blogs.igalia.com/dape/2022/11/29/native-call-stack-profiling-2-3-event-tracing-for-windows-and-chromium/
#ETW is the native tracing/profiling tool in #Windows. It samples stack traces for further analysis. #V8 assists providing information of the JIT-compiled functions, then available for stack walk analysis.
Big thanks to @[email protected], for his series of blog posts about performance analysis, and for writing #UIForETW. https://github.com/google/UIforETW
-
Just published: Solving #Windows Log Collection Challenges with Event Tracing https://nxlog.co/whitepapers/windows-event-tracing #etw
Event Tracing for Windows (ETW) logs kernel, application and other system activity. ETW provides better data and uses less resources.
I also added a section with an example of messing around with ETW for another reason to do ETW data centralization.
This part had to be taken out though: https://infosec.exchange/@superruserr/103514722074754232
-
Just published: Solving #Windows Log Collection Challenges with Event Tracing https://nxlog.co/whitepapers/windows-event-tracing #etw
Event Tracing for Windows (ETW) logs kernel, application and other system activity. ETW provides better data and uses less resources.
I also added a section with an example of messing around with ETW for another reason to do ETW data centralization.
This part had to be taken out though: https://infosec.exchange/@superruserr/103514722074754232