Post from 2024-01-29 16:19:52

[DebugPrivilege @ X] I did two write-ups about ETW. The first one will cover how to capture an ETW trace and covers a case-study using the WinInet provider to analyze Cobalt Strike. The second one covers how EDR are using the DotNetRuntime ETW.

https://github.com/DebugPrivilege/InsightEngineering/tree/main/Debugging%20101/Section%208%3A%20Introduction%20to%20WPT/WPA%20Review%20-%20How%20to%20capture%20ETW%20trace%3F

https://github.com/DebugPrivilege/InsightEngineering/tree/main/Debugging%20101/Section%208%3A%20Introduction%20to%20WPT/WPA%20Review%20-%20CLR%20Module%20Load%20Events

permalink | main