SESSION

Event Tracing for Windows (ETW) is an effective method to track system events in Windows and provides a record of events in a system, aiding in the detection of abnormal behavior. Because ETW can record detailed and diverse logging data, it has become an important source of information for cybersecurity tools and services. The .NET Framework is also widely used by Windows developers for its functionality and convenience; however, this also makes ETW popular with cybercriminals. With a focus on .NET malware, this presentation will discuss how to best leverage ETW to monitor system behavior and detect malicious activity as well as how to identify critical system events, locate key digital forensic evidence of malicious activity, and filter malicious from suspicious activity. Next, we’ll look at real-world cases that successfully analyzed system behavior via ETW. Finally, we’ll discuss how .NET malware has been leveraged in recent attacks targeting Taiwan.