Windows Events - Part 3 - Disrupt Code Execution with ETW
Background
First two parts are related to observing process: what is it doing? Part 1 touched on Windows Process Auditing & Part 2 covered Sysmon.
This part illustrates how we can use events from Event Tracing for Windows to disrupt malicious Code-Execution.
Some terms & concepts are based on background materials from my Cyber Security in 7 weeks series.
Outline & Objectives
Learn that evasions are cheap & effective against paid controls that are based on signature detection.
Review case studies of existing products & gain ideas to disrupt offensive TTPs.
Quick introduction to ETW to prepare you for C# code compilation & step-through of a simple App-Control program.
Simulate Multi-stage or Chained Code-Execution & watch it being disrupted by this simple App-Control, to experience & strengthen understanding of earlier sections.
Full article: https://jym.sg/windows-events--part-3--disrupt-code-execution-with-etw