pathtofile/Sealighter pathtofile/Sealighter

  • Stars
    star
    328
  • Rank 128,352 (Top 3 %)
  • Language
    C++
  • Created over 4 years ago
  • Updated about 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
pathtofile/Sealighter
github

pathtofile

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Sysmon-Like research tool for ETW

Sealighter - Easy ETW Tracing for Security Research

CI

I created this project to help non-developers dive into researching Event Tracing for Windows (ETW) and Windows PreProcessor Tracing (WPP).

Features

  • Subscribe to multiple ETW and WPP Providers at once
  • Automatically parse events into JSON without needing to know format
  • Robust Event filtering including filter chaining and filter negation
  • Output to Standard out, File, or Windows Event Log (to be ingested by other tools)
  • Get event stack traces
  • Configurable Buffering many events in a time period into one with a count, to reduce the number of events generated

Screenshot of Sealighter running

Overview

Sealighter leverages the feature-rich Krabs ETW Library to enable detailed filtering and triage of ETW and WPP Providers and Events.

You can subscribe and filter multiple providers, including User mode Providers, Kernel Tracing, and WPP Tracing, and output events as JSON to either stdout, a file, or the Windows Event Log (useful for high-volume traces like FileIO). No knowledge of the events the provider may produce, or their format, is necessary, Sealighter automatically captures and parses any events it is asked.

Events can then be parsed from JSON in Python, PowerShell, or forwarded to Splunk or ELK for further searching.

Filtering can be done on various aspects of an Event, from its ID or Opcode, to matching a property value, to doing an arbitrary string search across the entire event (Useful in WPP traces or when you don't know the event structure, but have an idea of its contents). You can also chain multiple filters together, or negate the filter. You can also filter the maximum events per ID, useful to investigate a new provider without being flooded by similar events.

Why this exists

ETW is an incredibly useful system for both Red and Blue teams. Red teams may glean insight into the inner workings of Windows components, and Blue teams might get valuable insight into suspicious activity.

A common research loop would be:

  1. Identify interesting ETW Providers using logman query providers or Looking for WPP Traces in Binaries
  2. Start a Session with the interesting providers enable, and capture events whilst doing something 'interesting'
  3. Look over the results, using one or more of:
    • Eyeballing each event/grepping for words you expect to see
    • Run a script in Python or PowerShell to help filter or find interesting captured events
    • Ingesting the data into Splunk or an ELK stack for some advanced UI-driven searching

Doing this with ETW Events can be difficult, without writing code to interact with and parse events from the obtuse ETW API. If you're not a strong programmer (or don't want to deal with the API), your only other options are to use a combination of older inbuilt windows tools to write to disk as binary etl files, then dealing with those. WPP traces compounds the issues, providing almost no easy-to-find data about provider and their events.

Projects like JDU2600's Event List and ETWExplorer and give some static insight, but Providers often contain obfuscated event names like Event(1001), meaning the most interesting data only becomes visible by dynamically running a trace and observing the output.

So like SilkETW?

In a way, this plays in a similar space as FuzzySec's SilkETW. But While Silk is more production-ready for defenders, this is designed for researchers like myself, and as such contains a number of features that I couldn't get with Silk, mostly due to the different Library they used to power the tool. Please see Here for more information.

Intended Audience

Probably someone who understands the basic of ETW, and really wants to dive into discovering what data you can glean from it, without having to write code or manually figure out how to get and parse events.

Getting Started

Please read the following pages:

Installation - How to start running Sealighter, including a simple config, and how to set up Windows Event logging if required.

Configuration - How to configure Sealighter, including how to specify what Providers to Log, and where to log to.

Filtering - Deep dive into all the types of filtering Sealighter provides.

Buffering - How to use buffering to report many similar events as one

Parsing Data - How to get and parse data from Sealighter.

Scenarios - Walkthrough example scenarios of how I've used Sealighter in my research.

Limitations - Things Sealighter doesn't do well or at all.

Why it's called Sealighter

The name is a contraction of Seafood Highlighter, which is what we call fake crab meat in Oz. As it's built on Krabs ETW, I thought the name was funny.

Found problems?

Feel free to raise an issue, although as I state in the comparison docs I'm only a single person, and this is a research-ready tool, not a production-ready.

Props and further reading

More Repositories

1

bad-bpf

A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29
C
530
star
2

SealighterTI

Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider
C
159
star
3

PPLRunner

Run Processes as PPL with ELAM
C
141
star
4

bpf-hookdetect

Dectect syscall hooking using eBPF
C
139
star
5

siemcraft

Security Information and Event Management in Minecraft
Go
115
star
6

commandline_cloaking

A collection of projects demonstrating various commandline cloaking techniques on Linux
Go
53
star
7

bpf-pipesnoop

Example program using eBPF to log data being based in using shell pipes
C
40
star
8

toucli

Use TouchID and the Secure Enclave to encrypt data from the commandline.
Swift
15
star
9

SimpleAmsiProvider

A simple provider to analyse what gets passed into Microsoft's Anti-Malware Scan Interface
C++
13
star
10

tf_wireguard

Simple Terraform Scripts to setup a WireGuard server on various cloud providers.
HCL
11
star
11

https.server

Python SimpleHTTPServer wrapped in TLS
Python
8
star
12

bpf-uprobedbg

C
7
star
13

ctlwatcher

Monitor Certificate Transparency logs for domains matching regexes.
Rust
6
star
14

ld_preload_go

Simple example of creating an `LD_PRELOAD` library in Go that hooks LibC's main function.
Go
5
star
15

ebpf-pinned-fentry

Example how to run eBPF probes without a usermode process using fentry
C
3
star
16

Presentations

A Repo to hold slides from presentations, etc.
3
star
17

cookiecache

Simplify getting and using cookies from the browser to use in Python.
Python
3
star
18

dockenv

Dockenv - Run python in docker the easy way
Python
2
star
19

etwRunner

Basic KrabsETW runner template
C++
2
star
20

terraform-provider-bitlaunch

BitLaunch Terraform Provider
Go
2
star
21

pyauditlogger

Auto-Add Python 3.8 audit hooks to all python scripts
Python
1
star
22

hijack-watcher

Rust version of HijackWatcher
Rust
1
star
23

etw_watcher

Using GitHub Actions to create commit diffs
PowerShell
1
star
24

PowerInject

Inject Interactive PowerShell into an arbitrary process
C
1
star
25

sigstore-watcher

Watches SigStore Code Signing Logs
Rust
1
star
26

sgproxy

Basic HTTP/S proxy. Created to add HTTP Auth to a request from a client that doesn't support supplying auth in URL, for example VScode's Juypyter Notebook Server browser.
Go
1
star
27

Puppeteer-Stealth-Docker

This is a simple example of how do stealthy headless chrome webscraping from a Docker container.
Dockerfile
1
star