<h1 id="heading-background">Background</h1>
<ul>
<li>First two parts are related to observing process: what is it doing? <a target="_blank" href="https://jym.sg/windows-events--part-1-of-3--process-auditing">Part 1 touched on Windows Process Auditing</a> &amp; <a target="_blank" href="https://jym.sg/windows-events--part-2-of-3--sysmon">Part 2 covered Sysmon</a>.
</li>
<li>This part illustrates how we can use events from Event Tracing for Windows to disrupt malicious Code-Execution.
</li>
<li>Some terms &amp; concepts are based on background materials from <a target="_blank" href="https://jym.sg/cyber-security-in-7-weeks#87a072b2d942490e82e6ac658202722c">my Cyber Security in 7 weeks series</a>.
</li>
</ul>
<h1 id="heading-outline-amp-objectives">Outline &amp; Objectives</h1>
<ol>
<li>Learn that evasions are cheap &amp; effective against paid controls that are based on signature detection.
</li>
<li>Review case studies of existing products &amp; gain ideas to disrupt offensive TTPs.
</li>
<li>Quick introduction to ETW to prepare you for C# code compilation &amp; step-through of a simple App-Control program.
</li>
<li>Simulate Multi-stage or Chained Code-Execution &amp; watch it being disrupted by this simple App-Control, to experience &amp; strengthen understanding of earlier sections.
</li>
</ol>
Full article: <a target="_blank" href="https://jym.sg/windows-events--part-3--disrupt-code-execution-with-etw">https://jym.sg/windows-events--part-3--disrupt-code-execution-with-etw</a>

# Background

* First two parts are related to observing process: what is it doing? [*Part 1 touched on Windows Process Auditing*](https://jym.sg/windows-events--part-1-of-3--process-auditing) *&* [*Part 2 covered Sysmon*](https://jym.sg/windows-events--part-2-of-3--sysmon)*.*
    
* This part illustrates how we can use events from **E**vent **T**racing for **W**indows to disrupt malicious Code-Execution.
    
* Some terms & concepts are based on background materials from [my Cyber Security in 7 weeks series](https://jym.sg/cyber-security-in-7-weeks#87a072b2d942490e82e6ac658202722c).
    

# Outline & *Objectives*

1. Learn that evasions are cheap & effective against paid controls that are based on signature detection.
    
2. Review case studies of existing products & *gain ideas to disrupt offensive TTPs.*
    
3. Quick introduction to ETW *to prepare you for C# code compilation & step-through of a simple App-Control program.*
    
4. Simulate Multi-stage or Chained Code-Execution & watch it being disrupted by this simple App-Control, *to experience & strengthen understanding of earlier sections.*
    

Full article: [https://jym.sg/windows-events--part-3--disrupt-code-execution-with-etw](https://jym.sg/windows-events--part-3--disrupt-code-execution-with-etw)

This part illustrates how we can use events from Event Tracing for Windows to disrupt malicious Code-Execution.

Windows Events - Part 3 - Disrupt Code Execution with ETW

Technologist specialising in Cyber Defense


Cyber Defender's Tips & Insights. Endpoint Protection & Defense. Cyber Deception & Moving Target Defense.

blog.jym.sg

blog.jym.sg

Windows Events - Part 3 - Disrupt Code Execution with ETW

Background

Outline & Objectives