Time Table

ETW (Event Tracing for Windows) is a feature of Windows OS that aggregates and records events related to the operations of applications and drivers. It is widely used for log management and security monitoring. However, in recent security incident investigations, logs recorded in the Event Log alone are often insufficient to provide adequate information. Therefore, there is a growing demand for mechanisms that can record more detailed information on Windows OS.

ETW has the potential to record more activities than the Event Log and is used for monitoring by many EDR products. On the other hand, attackers are incorporating functions to bypass ETW into malware to evade EDR products.

This session will provide a detailed explanation of incident response techniques using ETW and methods to bypass ETW functions. The presentation will first explain the mechanism of ETW, file formats, and ETW structures. Then, methods to detect malicious activities as well as forensic techniques using ETW will be introduced. In addition, current ETW bypass methods used in malware will also be explained. Finally, the session will cover methods to protect systems from ETW bypass techniques and introduce tools that the speakers have developed for incident response using ETW.

This presentation aims to provide a deeper understanding of ETW and how to utilize the knowledge to enhance the security of systems and networks.