TiEtwAgent - ETW-based process injection detection
This project was created to research, build and test different memory injection detection use cases and bypass techniques. The agent utilizes Microsoft-Windows-Threat-Intelligence event tracing provider, as a more modern and stable alternative to Userland-hooking, with the benefit of Kernel-mode visibility.
The project depends on the microsoft/krabsetw library for ETS setup and consumption.
An accompanying blog post can be found here: https://blog.redbluepurple.io/windows-security-research/kernel-tracing-injection-detection
Implemented detection usecases
- ALLOCVM_REMOTE_META_GENERIC
- ALLOCVM_REMOTE_SIGNATURES
- APC detections
- Process hollowing detections
- Reflective techniques
Setup instructions
Assuming you do not have a Microsoft-trusted signing certificate:
- Put your machine in the test signing mode with bcdedit
- Generate a self-signed certificate with ELAM and Code Signing EKU
- Sign TiEtwAgent.exe and your ELAM driver with the certificate
- ./TiEtwAgent install
- net start TiEtwAgent
- Look for logs, by default in C:\Windows\Temp\TiEtwAgent.txt
TODO
- PPL Service, event parsing
- First detection
- Ingegrate Yara and scanning
- Rewrite with OOP
- Detection lifecycle
- Risk based lifecycle
PS. If you do not want to write an ELAM driver, you can get one from https://github.com/pathtofile/PPLRunner/tree/main/elam_driver
Special thanks to @pathtofile for the post here: https://blog.tofile.dev/2020/12/16/elam.html