• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2022
  • June
  • 27
  • Sealighter – Easy ETW Tracing for Security Research

Sealighter – Easy ETW Tracing for Security Research

June 27, 2022 Comments Off on Sealighter – Easy ETW Tracing for Security Research
Sealighter - Easy ETW Tracing for Security Research cybersecurity ethical hacking hack android hack app hack wordpress hacker news hacking hacking tools for windows keylogger kit kitploit password brute force penetration testing pentest pentest android pentest linux pentest toolkit pentest tools spy tool kit spyware tools

I created this project to help non-developers dive into researching Event Tracing for Windows (ETW) and Windows PreProcessor Tracing (WPP).

Features

  • Subscribe to multiple ETW and WPP Providers at once
  • Automatically parse events into JSON without needing to know format
  • Robust Event filtering including filter chaining and filter negation
  • Output to Standard out, File, or Windows Event Log (to be ingested by other tools)
  • Get event stack traces
  • Configurable Buffering many events in a time period into one with a count, to reduce the number of events generated

Overview

Sealighter leverages the feature-rich Krabs ETW Library to enable detailed filtering and triage of ETW and WPP Providers and Events.

You can subscribe and filter multiple providers, including User mode Providers, Kernel Tracing, and WPP Tracing, and output events as JSON to either stdout, a file, or the Windows Event Log (useful for high-volume traces like FileIO). No knowledge of the events the provider may produce, or their format, is necessary, Sealighter automatically captures and parses any events it is asked.

Events can then be parsed from JSON in Python, PowerShell, or forwarded to Splunk or ELK for further searching.

Filtering can be done on various aspects of an Event, from its ID or Opcode, to matching a property value, to doing an arbitrary string search across the entire event (Useful in WPP traces or when you don’t know the event structure, but have an idea of its contents). You can also chain multiple filters together, or negate the filter. You can also filter the maximum events per ID, useful to investigate a new provider without being flooded by similar events.

Why this exists

ETW is an incredibly useful system for both Red and Blue teams. Red teams may glean insight into the inner workings of Windows components, and Blue teams might get valuable insight into suspicious activity.

A common research loop would be:

  1. Identify interesting ETW Providers using logman query providers or Looking for WPP Traces in Binaries
  2. Start a Session with the interesting providers enable, and capture events whilst doing something ‘interesting’
  3. Look over the results, using one or more of:
    • Eyeballing each event/grepping for words you expect to see
    • Run a script in Python or PowerShell to help filter or find interesting captured events
    • Ingesting the data into Splunk or an ELK stack for some advanced UI-driven searching

Doing this with ETW Events can be difficult, without writing code to interact with and parse events from the obtuse ETW API. If you’re not a strong programmer (or don’t want to deal with the API), your only other options are to use a combination of older inbuilt windows tools to write to disk as binary etl files, then dealing with those. WPP traces compounds the issues, providing almost no easy-to-find data about provider and their events.

Projects like JDU2600’s Event List and ETWExplorer and give some static insight, but Providers often contain obfuscated event names like Event(1001), meaning the most interesting data only becomes visible by dynamically running a trace and observing the output.

So like SilkETW?

In a way, this plays in a similar space as FuzzySec’s SilkETW. But While Silk is more production-ready for defenders, this is designed for researchers like myself, and as such contains a number of features that I couldn’t get with Silk, mostly due to the different Library they used to power the tool. Please see Here for more information.

Intended Audience

Probably someone who understands the basic of ETW, and really wants to dive into discovering what data you can glean from it, without having to write code or manually figure out how to get and parse events.

Getting Started

Please read the following pages:

Installation – How to start running Sealighter, including a simple config, and how to set up Windows Event logging if required.

Configuration – How to configure Sealighter, including how to specify what Providers to Log, and where to log to.

Filtering – Deep dive into all the types of filtering Sealighter provides.

Buffering – How to use buffering to report many similar events as one

Parsing Data – How to get and parse data from Sealighter.

Scenarios – Walkthrough example scenarios of how I’ve used Sealighter in my research.

Limitations – Things Sealighter doesn’t do well or at all.

Why it’s called Sealighter

The name is a contraction of Seafood Highlighter, which is what we call fake crab meat in Oz. As it’s built on Krabs ETW, I thought the name was funny.

Found problems?

Feel free to raise an issue, although as I state in the comparison docs I’m only a single person, and this is a research-ready tool, not a production-ready.

Props and further reading

  • Great Blog on ETW and WPP from Matt Graeber
  • JDU2600’s Event List
  • ETWExplorer
  • Krabs ETW, the library that powers Sealighter
  • SilkETW
Download Sealighter

Post navigation

Scout – Lightweight URL Fuzzer And Spider: Discover A Web Server’S Undisclosed Files, Directories And VHOSTs
Researcher releases PHP RCE vulnerability CVE 2022-31626 PoC

Related Articles

Security tokens: everything you need to know before deciding to buy

Security tokens: everything you need to know before deciding to buy

- Hack Tools
April 2, 2023
Bropper: automatic Blind ROP exploitation tool

Bropper: automatic Blind ROP exploitation tool

- Hack Tools
April 2, 2023
NVIDIA Addresses High Security Flaws in GPU Display Drivers and vGPU Software

NVIDIA Addresses High Security Flaws in GPU Display Drivers and vGPU Software

- Hack Tools
April 1, 2023
hacker gadgets
hacker phone covers

Recent Posts

Security tokens: everything you need to know before deciding to buy

Security tokens: everything you need to know before deciding to buy

April 2, 2023
Bropper: automatic Blind ROP exploitation tool

Bropper: automatic Blind ROP exploitation tool

April 2, 2023
NVIDIA Addresses High Security Flaws in GPU Display Drivers and vGPU Software

NVIDIA Addresses High Security Flaws in GPU Display Drivers and vGPU Software

April 1, 2023
Noseyparker - A Command-Line Program That Finds Secrets And Sensitive Information In Textual Data And Git History

Noseyparker – A Command-Line Program That Finds Secrets And Sensitive Information In Textual Data And Git History

April 1, 2023
SOOS DAST: vulnerability scanner against your web apps or APIs

SOOS DAST: vulnerability scanner against your web apps or APIs

April 1, 2023
CVE-2023-29059: Unraveling the Trojanized 3CX Desktop App Supply Chain Attack

CVE-2023-29059: Unraveling the Trojanized 3CX Desktop App Supply Chain Attack

April 1, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW