This tool [ETWPM2Monitor version2] is for Monitor ETW Event-Logs [log name: ETWPM2] which made by ETWProcessMon2.exe & the goal is Monitoring RemoteThreadInjection Techniques (Technique Detection & Payload Detection via ETW).
! Note: ETWPM2Monitor2 v2.1 is new version of code & you can use this code with ETWProcessMon2.1 (v2.1),
! this version ETWPM2Monitor2 v2.1 will work with ETWProcessMon2.1 and both are
! very fast for (Remote-Thread-Injection) Technique/Payload Detection via ETW Events)
+ code performance now is good and "a lot bugs" fixed also Processes Tab added to the source.
+ last source/exe update(24) v2.1.24.110 [Mar 16, 2022]...Video: https://www.youtube.com/watch?v=DMtMTkAfFNo
Note: if you want new v2.1 you should Re-compile this project with new Source code [compile with .NETFramework v4.5] ;), woow i had a lot bugs in code v2.0 , now fixed in v2.1, compiler says (not me), code performance now is good and "a lot bugs" [like tcp events flooding] fixed with last source update(11) v2.1.17.74 [Feb 21, 2022]...
Note: I will Publish Article & Help Documents for this tool soon...
Related Article: https://www.linkedin.com/pulse/etwpm2monitor2-remote-thread-injection-detection-etw-mohammadbagher
Related Article: https://damonmohammadbagher.github.io/Posts/12aug2021x.html
Note: the goal is talking/thinking about how can use ETW as Defender/Blue teamer for Defensive tools like EDR/AVs or your own Tools etc. so does not matter what i did in my C# codes, these codes just is for test to show you how can use ETW as Blue teamer but these things/codes made by my opinion & my focus was on Remote Thread Injection attack also my focus was on those things which i think blue teamers should know them better than before (especially Alarms TAB Events in this tool) and these code was for Chapter15 of ebook [bypassing AVs by C# Programming], (i will publish ch15 soon ;D) which is about how can use ETW for Defenders/Blue teamers & ...
Note: in this code we have "Pe-sieve64.exe" & "Hollowshunter.exe" so to use you need to download these exe files & paste them in same folder with ETWPM2Monitor2.exe & i tested ETWPM2Monitor2 with Pe-sieve64.exe (ver 0.2.9.6) & Hollowshunter.exe (ver 0.2.9.6)
Note: all alarms (Those Processes which Detected by ETWPM2Monitor2 v2.1) will save in windows eventlog name "ETWPM2Monitor2".
link1: https://github.com/hasherezade/pe-sieve
link2: https://github.com/hasherezade/hollows_hunter
Note: EventIDs 1,2,3,4,255, these events will save save by ETWPM2Monitor2.1 in Windows Eventlog Name "ETWPM2Monitor2":
[Information] Event ID 1 : Detected + Scanned but not found
[Warning] Event ID 2 : Detected + Scanned & Found or Suspended or Terminated via ETW Injection Events
[Informarion] Event ID 3 : Detection for Meterpreter Traffic only via ETW Tcp Events
[Warning] Event ID 4 : Detection for Shell Activity via ETW New Process Events
md5 info, "exe files are not safe here in github so make your own exe files with C# source by yourself [i recommend]":
b913a0d66d-750478c5a8-1d557aad377d => ETWProcessMon2.exe
e2133acacd-2d03d23212-3276ddae943a => ETWProcessMon2.exe (v2.1)
0e5f6bd971-a53f450017-c6967d6549f1 => ETWPM2Monitor2.exe (v2.1)
Usage Steps
Step1: ETWProcessMon2.exe (Run as Admin)
Step2: ETWPM2Monitor2.exe (Run as Admin)
note: you can use Filters in your search result for ... , this simple code worked but i will update search/filters source code soon ;) [25 feb 2022]
ETWPM2Monitor2 v2.1 (Detecting Cmd.exe for shell via [EventID 1] & Meterpreter Traffic Packets via [EventID 3])
ETWPM2Monitor2 v2.1 (Memory Scanners Logs added to code, now you can see what happened in background when something Detected or not by [Memory Scanners & events])
ETWPM2Monitor2 v2.1 (all Alarms & System/Detection logs Now will save in windows Eventlog "ETWPM2Monitor2")
windows Eventlog "ETWPM2Monitor2": EventIDs 1,2,3,4,255 Added...
[Event ID 1 Detected + Scanned but not found] ,
[Event ID 2 Detected + Scanned & Found or Suspended or Terminated via ETW Injection Events] ,
[Event ID 3 Detection for Meterpreter Traffic only via ETW Tcp Events] ,
[Event ID 4 Detection for Shell Activity via ETW New Process Events] ...
ETWPM2Monitor2 v2.1 (Memory Scanner Dump files details/hex file added to source code for better report result)
ETWPM2Monitor2 v2.1 (Detecting Cmd.exe with Parent_Process_Path/ID, when cmd process has ParentPID which is not normal)
ETWPM2Monitor2 v2.1 (Detecting Cmd.exe with Parent_Process_Path/ID, when cmd process has ParentPID which is not normal)
ETWPM2Monitor2 & Integrating with Memory Scanners Pe-sieve64.exe (ProcessHollowing Technique Detection) via ETW Events
