A Splunk Technology Add-on to forward filtered ETW events.
The main purpose of this plugin is to select, filter and forward ETW events to Splunk.
Splunk-ETW
is written in C# and powered by cmake:
git clone https://github.com/airbus-cert/Splunk-ETW
mkdir build
cd build
cmake ..\Splunk-ETW
cmake --build . --target package --config release
These commands will produce Splunk-ETW.tar.gz
.
To build the Test solution:
cmake ..\Splunk-ETW -DBUILD_TESTS=ON
Download the Splunk-ETW.tar.gz
from the latest release.
Then you can simply install the add-on using the splunk.exe
command-line tool:
splunk.exe install app .\Splunk-ETW.tar.gz
splunk.exe enable app Splunk-ETW
Then you have to add the Splunk-ETW
stanza to your main inputs.conf
. The value must match an entry in the profile/
folder. By default, there is a single cert
profile provided. The associated inputs.conf
stanza would look like that:
[Splunk-ETW://cert]
Then just restart the Splunk service:
splunk.exe restart
You can of course add your own profiles!
Splunk-ETW
can load multiple profiles from the profile
folder.
Each profile is an INI file describing which events will be forwarded to the Splunk indexer.
To add a foo
profile:
- Create a
foo.ini
file inside theprofile
folder. - Add the associated line into the main
CMakeList.txt
file (copy and adjust the line underInstall config files
).
To use the foo
profile, just add the following line into the inputs.conf
of the Splunk Universal Forwarder:
[Splunk-ETW://foo]
Now that you have your profile registered into the Forwarder, edit the .ini
file and add the providers and filters you want (see details below).
Once you are satisfied with your profile, rebuild and reinstall the project as previously described.
To add a provider by name just add the following line into your profile file:
[Microsoft-Windows-WMI-Activity]
To add a provider by GUID you have to specify the type of provider:
- Manifest for manifest-based provider
- TL TraceLogging provider
- WPP Windows PreProcessor provider
; identical to [Microsoft-Windows-WMI-Activity]
[Manifest{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}]
; TraceLogging provider
[TL{8e805eb3-6a8f-4a1e-90fa-a831d94e54a1}]
; Windows Pre Processor provider
[WPP{8e805eb3-6a8f-4a1e-90fa-a831d94e54a1}]
In order to forward only some events produced by a provider, you can specify the relevant event ID:
; only forward event id 23 of Microsoft-Windows-WMI-Activity provider
[Microsoft-Windows-WMI-Activity://23]
You can add several IDs by adding more stanzas:
; Forward events 22 and 23 of Microsoft-Windows-WMI-Activity provider
[Microsoft-Windows-WMI-Activity://22]
[Microsoft-Windows-WMI-Activity://23]
You can filter by event ID for all kinds of providers:
; Filter event ID 23 of Manifest provider 1418EF04-B0B4-4623-BF7E-D74AB47BBDAA
[Manifest{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}://23]
Splunk-ETW
can filter forwarded events by field value. We can add a list of <field_nalme> = <field_value>
under the event forward definition.
All events which have the field with the associated value will be forwarded. For example, event ID 23
of the Microsoft-Windows-WMI-Activity
provider has a field named IsLocal
.
This field takes the value 0
when a process is created using the Win32_Process::Create
method through the network, like in a lateral movement scenario.
If we are only interested in this scenario we can apply the following filter:
[Microsoft-Windows-WMI-Activity://23]
IsLocal = 0
The Airbus CERT default profile comes with the following simple use-cases:
Detecting remote execution via WMI
WMI allows creating processes through the WIN32_Process
class which exposes a static Create
method. It can be invoked using the folowing PowerShell command:
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd /c systeminfo"
This method can be used for lateral movement.
WMI has a dedicated ETW provider named Microsoft-Windows-WMI-Activity
and a dedicated event ID for the Create
method: 23
. Splunk-ETW
will forward these events with the following config line:
[Microsoft-Windows-WMI-Activity://23]
Detecting PrintDemon
PrintDemon, aka CVE-2020-1048, can be detected by monitoring printer driver installation; in particular the installation of the driver named Generic / Text Only
.
The ETW provider Microsoft-Windows-PrintService
generates event ID 316
with the name of the driver included into the Param1
field.
Splunk-ETW
can forward this event if and only if the value of Param1
is equal to Generic / Text Only
, with the following config line:
[Microsoft-Windows-PrintService://316]
Param1=Generic / Text Only
Detecting BlueKeep
BlueKeep, aka CVE-2019-0708, is a vulnerability which targets the RDP protocol. Exploiting this vulnerability requires closing a particular channel named ms_t120
.
The ETW provider Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
monitors all closed channels by firing event ID 148
with the field ChannelName
set to the name of the channel.
Splunk-ETW
can forward this event if and only if the value of ChannelName
is equal to ms_t120
, with the following config line:
[Microsoft-Windows-RemoteDesktopServices-RdpCoreTS://148]
ChannelName=ms_t120
Greetz to vector-sec for his original work on TA_ETW!
Our previous work on ETW:
- SSTIC 2020 presentation (in French)
- Winshark: read ETW in WireShark
- etwbreaker: IDA plugin to find ETW providers