TiEtwAgent - ETW-based process injection detection

This project was created to research, build and test different memory injection detection use cases and bypass techniques. The agent utilizes Microsoft-Windows-Threat-Intelligence event tracing provider, as a more modern and stable alternative to Userland-hooking, with the benefit of Kernel-mode visibility.

The project depends on the microsoft/krabsetw library for ETS setup and consumption.

An accompanying blog post can be found here: https://blog.redbluepurple.io/windows-security-research/kernel-tracing-injection-detection

Implemented detection usecases

• ALLOCVM_REMOTE_META_GENERIC
• ALLOCVM_REMOTE_SIGNATURES
• APC detections
• Process hollowing detections
• Reflective techniques

Setup instructions

Assuming you do not have a Microsoft-trusted signing certificate:

• Put your machine in the test signing mode with bcdedit
• Generate a self-signed certificate with ELAM and Code Signing EKU
• Sign TiEtwAgent.exe and your ELAM driver with the certificate
• ./TiEtwAgent install
• net start TiEtwAgent
• Look for logs, by default in C:\Windows\Temp\TiEtwAgent.txt

TODO

• PPL Service, event parsing
• First detection
• Ingegrate Yara and scanning
• Rewrite with OOP
• Detection lifecycle
• Risk based lifecycle

PS. If you do not want to write an ELAM driver, you can get one from https://github.com/pathtofile/PPLRunner/tree/main/elam_driver

Special thanks to @pathtofile for the post here: https://blog.tofile.dev/2020/12/16/elam.html