home.social

#etw — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #etw, aggregated by home.social.

  1. @BlumeEvolution @steffensmile @Teh_Doc_Inan @solaris

    a) das Beispiel teure Kaffeemaschine für Kaffeebohnen (arme Studis müssen Pads nehmen) ist nicht lebenspraktisch, da Studis ja auch gemahlenen Kaffee, Filtertüren, preiswerte Kaffeemaschinen benutzen können (Kaffeesatz als Dünger für Pflanzen)☕

    b) vielen Vermietern fehlen die Mittel zur Umrüstung auf...🏘️ 💶

    c) Besitzer*innen #ETW müssen sich Abstimmungsergebnissen beugen - sitzen also auch in Fallen (#Heizung #Gemeinschaftseigentum)

  2. @BlumeEvolution @steffensmile @Teh_Doc_Inan @solaris

    a) das Beispiel teure Kaffeemaschine für Kaffeebohnen (arme Studis müssen Pads nehmen) ist nicht lebenspraktisch, da Studis ja auch gemahlenen Kaffee, Filtertüren, preiswerte Kaffeemaschinen benutzen können (Kaffeesatz als Dünger für Pflanzen)☕

    b) vielen Vermietern fehlen die Mittel zur Umrüstung auf...🏘️ 💶

    c) Besitzer*innen #ETW müssen sich Abstimmungsergebnissen beugen - sitzen also auch in Fallen (#Heizung #Gemeinschaftseigentum)

  3. @BlumeEvolution @steffensmile @Teh_Doc_Inan @solaris

    a) das Beispiel teure Kaffeemaschine für Kaffeebohnen (arme Studis müssen Pads nehmen) ist nicht lebenspraktisch, da Studis ja auch gemahlenen Kaffee, Filtertüren, preiswerte Kaffeemaschinen benutzen können (Kaffeesatz als Dünger für Pflanzen)☕

    b) vielen Vermietern fehlen die Mittel zur Umrüstung auf...🏘️ 💶

    c) Besitzer*innen #ETW müssen sich Abstimmungsergebnissen beugen - sitzen also auch in Fallen (#Heizung #Gemeinschaftseigentum)

  4. @BlumeEvolution @steffensmile @Teh_Doc_Inan @solaris

    a) das Beispiel teure Kaffeemaschine für Kaffeebohnen (arme Studis müssen Pads nehmen) ist nicht lebenspraktisch, da Studis ja auch gemahlenen Kaffee, Filtertüren, preiswerte Kaffeemaschinen benutzen können (Kaffeesatz als Dünger für Pflanzen)☕

    b) vielen Vermietern fehlen die Mittel zur Umrüstung auf...🏘️ 💶

    c) Besitzer*innen #ETW müssen sich Abstimmungsergebnissen beugen - sitzen also auch in Fallen (#Heizung #Gemeinschaftseigentum)

  5. @BlumeEvolution @steffensmile @Teh_Doc_Inan @solaris

    a) das Beispiel teure Kaffeemaschine für Kaffeebohnen (arme Studis müssen Pads nehmen) ist nicht lebenspraktisch, da Studis ja auch gemahlenen Kaffee, Filtertüren, preiswerte Kaffeemaschinen benutzen können (Kaffeesatz als Dünger für Pflanzen)☕

    b) vielen Vermietern fehlen die Mittel zur Umrüstung auf...🏘️ 💶

    c) Besitzer*innen #ETW müssen sich Abstimmungsergebnissen beugen - sitzen also auch in Fallen (#Heizung #Gemeinschaftseigentum)

  6. A room with a view🏖

    Das ist die Aussicht aus des Mannes Kammer. Ein 70er Wohnschachtel-Dings mit Kratzputz. Mitten zwischen Gärten und Gründerzeit-Häuser gepflanzt. Einfach so. Plopp. Wenn man keinen Bock auf Häuser entwerfen hat, kann man doch was anderes machen ... Kammerjäger oder Kampfmittelräumdienst ... wird auch gebraucht und entspricht evtl mehr der persönlichen Neigung.

    #Architektur #Schöner_Wohnen #70er #Aussicht #ETW

  7. 📢 Fuzzing récursif des structures MS-RPC avec ETW : escalade de privilèges vers SYSTEM
    📝 ## 🔍 Contexte

    Article technique publié le 4 mai 2026 par Remco van der Meer sur incendium.rocks, présentant des mises à jour...
    📖 cyberveille : cyberveille.ch/posts/2026-05-0
    🌐 source : incendium.rocks/posts/Fuzzing-
    #ETW #IOC #Cyberveille

  8. FortiGuard IR researchers have highlighted unexpected forensic value in the AutoLogger-Diagtrack-Listener.etl file on modern Windows systems.

    Despite low exploitation severity, the artefact has shown the ability to preserve historical process-execution data, including deleted binaries and command-line traces — helpful in ransomware investigations.

    What’s your view on ETW-based artefacts in DFIR workflows?

    Source: fortinet.com/blog/threat-resea

    Share your insights and follow us for more clear, unbiased analysis.

    #InfoSec #DFIR #ThreatIntel #WindowsForensics #ETW #Telemetry #CyberSecurity #IncidentResponse #SecurityResearch #ThreatAnalysis

  9. FortiGuard IR researchers have highlighted unexpected forensic value in the AutoLogger-Diagtrack-Listener.etl file on modern Windows systems.

    Despite low exploitation severity, the artefact has shown the ability to preserve historical process-execution data, including deleted binaries and command-line traces — helpful in ransomware investigations.

    What’s your view on ETW-based artefacts in DFIR workflows?

    Source: fortinet.com/blog/threat-resea

    Share your insights and follow us for more clear, unbiased analysis.

    #InfoSec #DFIR #ThreatIntel #WindowsForensics #ETW #Telemetry #CyberSecurity #IncidentResponse #SecurityResearch #ThreatAnalysis

  10. FortiGuard IR researchers have highlighted unexpected forensic value in the AutoLogger-Diagtrack-Listener.etl file on modern Windows systems.

    Despite low exploitation severity, the artefact has shown the ability to preserve historical process-execution data, including deleted binaries and command-line traces — helpful in ransomware investigations.

    What’s your view on ETW-based artefacts in DFIR workflows?

    Source: fortinet.com/blog/threat-resea

    Share your insights and follow us for more clear, unbiased analysis.

    #InfoSec #DFIR #ThreatIntel #WindowsForensics #ETW #Telemetry #CyberSecurity #IncidentResponse #SecurityResearch #ThreatAnalysis

  11. Hm, im #KüchenRegal war weniger Marmelade zu finden als gedacht; und #Nudelsoße muß ich dringend kaufen. Fünf Kilogramm #ETW (EierTeigWaren) sollten eine Weile reichen.

  12. Hm, im #KüchenRegal war weniger Marmelade zu finden als gedacht; und #Nudelsoße muß ich dringend kaufen. Fünf Kilogramm #ETW (EierTeigWaren) sollten eine Weile reichen.

  13. 🦠 Malware Analysis
    ===================

    🦠 Malware Analysis

    Executive summary: A recently observed campaign leverages malicious
    Windows shortcut files (.LNK) distributed via Discord to deliver a
    multi‑functional Remote Access Trojan (RAT). The LNK triggers a hidden
    PowerShell that extracts a ZIP (Moq.zip) containing a malicious DLL
    and executes it through the legitimate binary odbcconf.exe, a
    Living‑off‑the‑Land Binary (LOLBin), to evade detection.

    Technical details:
    • The shortcut named Cyber security.lnk opens an embedded decoy PDF
    Cyber security.pdf while running a PowerShell payload in hidden mode
    (via a headless conhost.exe).
    • The PowerShell creates a working path (Temp and a Nuget folder under
    Public), extracts an embedded PDF and the ZIP archive, then drops
    Moq.zip and a malicious DLL.
    • Execution is handed to odbcconf.exe to load the DLL, enabling
    process execution without spawning visible consoles.
    • The RAT collects system/antivirus information, attempts AMSI
    bypasses, and patches EtwEventWrite to impair Windows Event Tracing
    (ETW).

    🔹 Attack Chain Analysis

    1. Initial Access (LNK): User opens Cyber security.lnk from Discord —
    triggers hidden PowerShell (MITRE: T1204.002).
    2. Download/Stage: PowerShell extracts embedded PDF and Moq.zip into
    Temp/Public\Nuget.
    3. Execution via LOLBin: odbcconf.exe is used to load the dropped DLL
    (MITRE: T1218 — System Binary Proxy Execution).
    4. Persistence/Control: Malicious DLL implements RAT behaviors,
    including remote commands and reconnaissance.
    5. Defense Evasion: AMSI bypass and EtwEventWrite patching (Impair
    Defenses) reduce telemetry and impede detection.

    Detection guidance:
    • Monitor process trees where odbcconf.exe is launched from atypical
    parents (PowerShell/conhost).
    • Alert on hidden PowerShell instances extracting embedded files and
    writing PDFs from LNK streams.
    • Watch for API patching attempts around EtwEventWrite and AMSI
    initialization failures.

    Mitigation:
    • Restrict execution of unsigned Office/shortcut attachments from
    untrusted channels.
    • Apply application control to prevent odbcconf.exe from loading untrusted DLLs.
    • Enable telemetry and harden AMSI where possible; monitor ETW integrity.

    References/Notes: Preliminary detections were reported from Israel;
    campaign observed distribution via Discord and use of decoy PDFs. #LNK
    #RAT #AMSI #ETW #LOLBins

    🔗 Source: labs.k7computing.com/index.php

  14. Три слона, на которых держится логирование в Windows

    Продолжаем наш цикл статей о типах и методах работы сборщиков данных с конечных точек, или, как принято их называть – агентов. В первой статье мы познакомились с этой сущностью и изучили основные нюансы сбора данных с их помощью. Так как мы в рамках разработки своих продуктов занимаемся и лог-менеджментом, и сбором событий, то хочется поделиться продолжением нашей обширной аналитики в quickstart формате. Поэтому в этом выпуске подробнее разберем функционал и используемые инструменты источников на ОС Windows.

    habr.com/ru/companies/security

    #Логирование #сбор_событий #eventlog #журналы_windows #журналы_событий #sysmon #event_tracing_for_windows #event_logging #event_log #etw

  15. Три слона, на которых держится логирование в Windows

    Продолжаем наш цикл статей о типах и методах работы сборщиков данных с конечных точек, или, как принято их называть – агентов. В первой статье мы познакомились с этой сущностью и изучили основные нюансы сбора данных с их помощью. Так как мы в рамках разработки своих продуктов занимаемся и лог-менеджментом, и сбором событий, то хочется поделиться продолжением нашей обширной аналитики в quickstart формате. Поэтому в этом выпуске подробнее разберем функционал и используемые инструменты источников на ОС Windows.

    habr.com/ru/companies/security

    #Логирование #сбор_событий #eventlog #журналы_windows #журналы_событий #sysmon #event_tracing_for_windows #event_logging #event_log #etw

  16. Три слона, на которых держится логирование в Windows

    Продолжаем наш цикл статей о типах и методах работы сборщиков данных с конечных точек, или, как принято их называть – агентов. В первой статье мы познакомились с этой сущностью и изучили основные нюансы сбора данных с их помощью. Так как мы в рамках разработки своих продуктов занимаемся и лог-менеджментом, и сбором событий, то хочется поделиться продолжением нашей обширной аналитики в quickstart формате. Поэтому в этом выпуске подробнее разберем функционал и используемые инструменты источников на ОС Windows.

    habr.com/ru/companies/security

    #Логирование #сбор_событий #eventlog #журналы_windows #журналы_событий #sysmon #event_tracing_for_windows #event_logging #event_log #etw

  17. Три слона, на которых держится логирование в Windows

    Продолжаем наш цикл статей о типах и методах работы сборщиков данных с конечных точек, или, как принято их называть – агентов. В первой статье мы познакомились с этой сущностью и изучили основные нюансы сбора данных с их помощью. Так как мы в рамках разработки своих продуктов занимаемся и лог-менеджментом, и сбором событий, то хочется поделиться продолжением нашей обширной аналитики в quickstart формате. Поэтому в этом выпуске подробнее разберем функционал и используемые инструменты источников на ОС Windows.

    habr.com/ru/companies/security

    #Логирование #сбор_событий #eventlog #журналы_windows #журналы_событий #sysmon #event_tracing_for_windows #event_logging #event_log #etw

  18. I’m not sure too many people make content for Empire: Total War these days but I am! And I’m using the excellent Darth Mod to boot youtube.com/live/SXJCW7PdQTo?f

    #ETW #Strategy

  19. I’m not sure too many people make content for Empire: Total War these days but I am! And I’m using the excellent Darth Mod to boot youtube.com/live/SXJCW7PdQTo?f

    #ETW #Strategy

  20. Last blog post in my native call stack profiling series just published. This time about the work I did this year in #V8 #Windows #ETW stack walk support: blogs.igalia.com/dape/2022/12/

    In march, V8 ETW support was broken. After fixing a small regression, we could proceed improving readability of the traces, and improving initialization. This @igalia work was sponsored by #Bloomberg.

    The overhead in V8 is very small now, making the traces more accurate. This work is available in V8 10.9.0.

    #WebPerf

  21. Last blog post in my native call stack profiling series just published. This time about the work I did this year in #V8 #Windows #ETW stack walk support: blogs.igalia.com/dape/2022/12/

    In march, V8 ETW support was broken. After fixing a small regression, we could proceed improving readability of the traces, and improving initialization. This @igalia work was sponsored by #Bloomberg.

    The overhead in V8 is very small now, making the traces more accurate. This work is available in V8 10.9.0.

    #WebPerf

  22. Last blog post in my native call stack profiling series just published. This time about the work I did this year in #V8 #Windows #ETW stack walk support: blogs.igalia.com/dape/2022/12/

    In march, V8 ETW support was broken. After fixing a small regression, we could proceed improving readability of the traces, and improving initialization. This @igalia work was sponsored by #Bloomberg.

    The overhead in V8 is very small now, making the traces more accurate. This work is available in V8 10.9.0.

    #WebPerf

  23. Last blog post in my native call stack profiling series just published. This time about the work I did this year in #V8 #Windows #ETW stack walk support: blogs.igalia.com/dape/2022/12/

    In march, V8 ETW support was broken. After fixing a small regression, we could proceed improving readability of the traces, and improving initialization. This @igalia work was sponsored by #Bloomberg.

    The overhead in V8 is very small now, making the traces more accurate. This work is available in V8 10.9.0.

    #WebPerf

  24. Last blog post in my native call stack profiling series just published. This time about the work I did this year in #V8 #Windows #ETW stack walk support: blogs.igalia.com/dape/2022/12/

    In march, V8 ETW support was broken. After fixing a small regression, we could proceed improving readability of the traces, and improving initialization. This @igalia work was sponsored by #Bloomberg.

    The overhead in V8 is very small now, making the traces more accurate. This work is available in V8 10.9.0.

    #WebPerf

  25. Just published the second blog post in my native call stack profiling series, about Event Tracing for Windows and #Chromium: blogs.igalia.com/dape/2022/11/

    #ETW is the native tracing/profiling tool in #Windows. It samples stack traces for further analysis. #V8 assists providing information of the JIT-compiled functions, then available for stack walk analysis.

    Big thanks to @[email protected], for his series of blog posts about performance analysis, and for writing #UIForETW. github.com/google/UIforETW

  26. Just published the second blog post in my native call stack profiling series, about Event Tracing for Windows and #Chromium: blogs.igalia.com/dape/2022/11/

    #ETW is the native tracing/profiling tool in #Windows. It samples stack traces for further analysis. #V8 assists providing information of the JIT-compiled functions, then available for stack walk analysis.

    Big thanks to @[email protected], for his series of blog posts about performance analysis, and for writing #UIForETW. github.com/google/UIforETW

  27. Just published the second blog post in my native call stack profiling series, about Event Tracing for Windows and #Chromium: blogs.igalia.com/dape/2022/11/

    #ETW is the native tracing/profiling tool in #Windows. It samples stack traces for further analysis. #V8 assists providing information of the JIT-compiled functions, then available for stack walk analysis.

    Big thanks to @[email protected], for his series of blog posts about performance analysis, and for writing #UIForETW. github.com/google/UIforETW

  28. Just published the second blog post in my native call stack profiling series, about Event Tracing for Windows and #Chromium: blogs.igalia.com/dape/2022/11/

    #ETW is the native tracing/profiling tool in #Windows. It samples stack traces for further analysis. #V8 assists providing information of the JIT-compiled functions, then available for stack walk analysis.

    Big thanks to @[email protected], for his series of blog posts about performance analysis, and for writing #UIForETW. github.com/google/UIforETW

  29. Just published the second blog post in my native call stack profiling series, about Event Tracing for Windows and #Chromium: blogs.igalia.com/dape/2022/11/

    #ETW is the native tracing/profiling tool in #Windows. It samples stack traces for further analysis. #V8 assists providing information of the JIT-compiled functions, then available for stack walk analysis.

    Big thanks to @[email protected], for his series of blog posts about performance analysis, and for writing #UIForETW. github.com/google/UIforETW

  30. Just published: Solving #Windows Log Collection Challenges with Event Tracing nxlog.co/whitepapers/windows-e #etw

    Event Tracing for Windows (ETW) logs kernel, application and other system activity. ETW provides better data and uses less resources.

    I also added a section with an example of messing around with ETW for another reason to do ETW data centralization.

    This part had to be taken out though: infosec.exchange/@superruserr/

  31. Just published: Solving #Windows Log Collection Challenges with Event Tracing nxlog.co/whitepapers/windows-e #etw

    Event Tracing for Windows (ETW) logs kernel, application and other system activity. ETW provides better data and uses less resources.

    I also added a section with an example of messing around with ETW for another reason to do ETW data centralization.

    This part had to be taken out though: infosec.exchange/@superruserr/