PSWasp is a PowerShell project that enables users to easily interact with Event Tracing for Windows (ETW); specifically designed for forensic collection and analysis. Originally intended as a Windows debugging utility, ETW has evolved to support a myriad of diverse use cases. Modern Windows operating systems (8.1, 2012, Win10, and Server 2016) ship with hundreds of application and kernel layer ETW providers, any of which could capture and log critical information during an investigation. PSalandar enables users to easily start and capture events from one or many ETW providers.
- .NET 4.0 or greater
- PowerShell 3.0 or greater
- PSWasp uses and ships a copy of the Microsoft's TraceEvent DLL License
Get-ETWProvider
Get-ETWSessionNames
Warning: Enumerating session details has been found to inadvertently stop ETW sessions in some cases.
Get-ETWSessionDetails
Defines the provider name or GUID, filtering keywords, or other filtering options
This example configures the Micorsoft-Windows-Kernel-Process
provider and only enables the Process
, Image
, and Thread
keywords
$ProviderConfig = New-ETWProviderConfig
$ProviderConfig.Name = 'Microsoft-Windows-Kernel-Process'
$ProcessRegex = '_PROCESS$|_IMAGE$|_THREAD$'
Get-ETWProviderKeywords -ProviderName $ProviderConfig.Name |
Where-Object { $_.Name -match $ProcessRegex } |
ForEach-Object { $ProviderConfig.Keywords += $_ }
Start-ETWSession -ProviderConfig $ProviderConfig -SessionName <unique session name> -OutputFile <path to etl file>
Stop-ETWSession -SessionName <previously provided unique session name>
Get-WinEvent -Path <path to ETL file> -Oldest
Kernel session is an optional argument that starts a unique kernel session. Enabling this session allows for the capture of process command line arguments.
Note: Kernel session is enabled by default use -DisableKernelProvider
to disable
Start-ETWForensicCollection -SessionName <unique session name> -OutputFile <path to etl file>
Will automatically identify and parse any kernel session output files from the same session
Get-ETWForensicEventLog -Path <path to ETL file>
https://github.com/Microsoft/dotnetsamples/blob/master/Microsoft.Diagnostics.Tracing/TraceEvent/docs/TraceEvent.md https://blogs.msdn.microsoft.com/vancem/2012/12/20/using-tracesource-to-log-etw-data-to-a-file/ https://msdn.microsoft.com/en-us/library/windows/desktop/aa363668(v=vs.85).aspx https://github.com/Microsoft/perfview/blob/master/src/TraceEvent/TraceEventSession.cs https://blogs.technet.microsoft.com/office365security/hidden-treasure-intrusion-detection-with-etw-part-1/ https://blogs.technet.microsoft.com/office365security/hidden-treasure-intrusion-detection-with-etw-part-2/