PowerKrabsEtw: PowerShell Interface For Doing Real-Time ETW Tracing

                    PowerKrabsEtw is a PowerShell module built around the krabsetw APIs. It exposes a subset of functionality directly available in krabsetw and is meant to streamline ETW experimentation.

Notes
This module is currently in an experimental state. This is the first PowerShell API I’ve written and while I’ve had great feedback working with @Lee_Holmes, I know it still needs work.

Please feel free to file issues if you have suggestions for improving the API.

Download
            git clone https://github.com/zacbrown/PowerKrabsEtw.git

Examples

There are two main supported scenarios right now:

• Trace-KrabsEtwProcess – think of this as similar to ProcMon filtered on a specific process.
  • This is not yet configurable. The data provided includes the following data sources:
    • IPv4/IPv6 TCP send
    • IPv4/IPv6 UDP send
    • DNS lookups
    • remote thread injections
    • child process creation (via CreateProcess or similar direct means)
    • WMI activity
    • registry activity
    • file activity
    • PowerShell function execution
    • DLL load activity
• Create explicit providers, filters, and traces – this is a more flexible approach and best for experimentation.

Start powershell.exe with the -MAT flag. The module will fail to work otherwise.:
                       powershell.exe -mta
1. Trace a process’s lifetime.

PS C:\dev\PowerKrabsEtw\PowerKrabsEtw\bin\x64\Debug> import-module .\PowerKrabsEtw 
PS C:\dev\PowerKrabsEtw\PowerKrabsEtw\bin\x64\Debug> $events = Trace-ProcessWithEtw -ProcessName powershell.exe 
PS C:\dev\PowerKrabsEtw\PowerKrabsEtw\bin\x64\Debug> $events | select -Unique 
EtwProviderName 

EtwProviderName 
---------------
Microsoft-Windows-Kernel-Registry Microsoft-Windows-Kernel-Process Microsoft-Windows-Kernel-File Microsoft-Windows-PowerShell 

PS C:\dev\PowerKrabsEtw\PowerKrabsEtw\bin\x64\Debug> $events[0]

EtwEventId : 7
EtwTimestamp : 11/12/17 11:13:34 PM 
EtwProcessId : 4980 
EtwThreadId : 904 
EtwProviderName : Microsoft-Windows-Kernel-Registry
KeyObject : 18446603362009679696 
Status : 3221225524
InfoClass : 2 
DataSize : 524 
KeyName : ValueName : 3c74afb9-8d82-44e3-b52c-365dbf48382a 
CapturedDataSize : 0 
CapturedData :
2.Setup a custom trace session for PowerShell events  


PS C:\dev\PowerKrabsEtw\demo> Import-Module .\PowerKrabsEtw >> $trace = New-EtwUserTrace 
>> $provider = New-EtwUserProvider -ProviderName "Microsoft-Windows-PowerShell" >> $filter = New-EtwCallbackFilter -EventId 7937 
>> Set-EtwCallbackFilter -UserProvider $provider -Filter $filter 
>> Set-EtwUserProvider -Trace $trace -Provider $provider 
>>
>> Start-EtwUserTrace -Trace $trace | Where-Object { $_.CommandName -like "invoke-mimikatz" }


EtwEventId : 7937 
EtwTimestamp : 11/12/17 11:19:47 PM
EtwProcessId : 5308 
EtwThreadId : 2000 
EtwProviderName : Microsoft-Windows-PowerShell 
HostProcess : c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -mta 
CommandName : invoke-mimikatz 
CommandType : Function 
UserName : ZACBROWNDDDC\zbrown 
UserData : 
Payload : Command invoke-mimikatz is Started.
EtwEventId : 7937 
EtwTimestamp : 11/12/17 11:19:47 PM 
EtwProcessId : 5308 
EtwThreadId : 2000 
EtwProviderName : Microsoft-Windows-PowerShell 
HostProcess : c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -mta 
CommandName : invoke-mimikatz 
CommandType : Function 
UserName : ZACBROWNDDDC\zbrown 
UserData : 
Payload : Command invoke-mimikatz is Stopped.

Source: https://github.com/zacbrown/

Also Read: How To Safeguard Your Phone Against Spyware