Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

ES1.4 Event Tracing for Windows (ETW)

· Module 1 · Free
Operational Objective
Every alert MDE generates, every event Sysmon captures, every telemetry point the EDR sensor transmits to the cloud starts with the same infrastructure: Event Tracing for Windows (ETW). ETW is the kernel-level instrumentation framework that produces the raw event data security tools consume. When ETW works, your detection stack has visibility. When an attacker tampers with ETW — patching providers in memory, disabling trace sessions, blinding specific consumers — your detection stack goes dark without generating a single alert about its own blindness. Understanding ETW is not optional for endpoint security engineers. It explains why your EDR sees what it sees, why certain evasion techniques work, and what happens to your detection capability when attackers target the instrumentation layer itself.
Deliverable: Understanding of the ETW architecture as it relates to EDR telemetry, the specific ETW providers that security tools depend on, the attack techniques that target ETW, and the detection and mitigation strategies for ETW tampering.
Estimated completion: 30 minutes
ETW ARCHITECTURE — PROVIDERS → SESSIONS → CONSUMERSETW PROVIDERSMicrosoft-Windows-Kernel-ProcessMicrosoft-Windows-Security-AuditingMicrosoft-Windows-DNS-ClientETW SESSIONS (BUFFERS)Kernel collects events in buffersSessions connect providers→consumersNT Kernel Logger, EventLog sessionsETW CONSUMERSMDE sensor (kernel + user mode)Sysmon driverEvent Log service → .evtx filesETW TAMPERING — ATTACKER TECHNIQUES TO BLIND SECURITY TOOLSPatch ETW provider functions in ntdll.dll → provider stops generating events → EDR goes blind for that data sourceDisable trace sessions (logman stop) → session stops delivering events → consumer receives nothingKernel callback removal → requires vulnerable driver → most dangerous, removes kernel-level visibility

Figure ES1.4 — ETW architecture. Providers generate events, sessions buffer and route them, consumers process them. Attackers target each component: patching providers (user mode), disabling sessions (admin), or removing callbacks (kernel). Each tampering technique blinds different parts of the security stack.

How ETW underpins your entire detection stack

ETW is a tracing framework built into the Windows kernel. Components throughout the operating system — the kernel, device drivers, system services, applications — register as ETW providers and emit structured events. These events flow through trace sessions (kernel-managed buffers) to consumers (the applications that process the events). The Windows Event Log service is an ETW consumer — every event you see in Event Viewer was generated by an ETW provider. MDE’s sensor is an ETW consumer — the process creation, network connection, file write, and registry modification events that appear in Advanced Hunting tables originate from ETW providers. Sysmon’s kernel driver registers its own ETW provider and also consumes events from other providers.

The security-critical ETW providers include: Microsoft-Windows-Kernel-Process (process creation and termination), Microsoft-Windows-Kernel-File (file system operations), Microsoft-Windows-Kernel-Network (network connections), Microsoft-Windows-Kernel-Registry (registry modifications), Microsoft-Windows-Security-Auditing (security events — logon, privilege use, object access), Microsoft-Windows-PowerShell (PowerShell script execution), and Microsoft-Antimalware-Engine (Defender AV scan results). When these providers are functioning normally, MDE and Sysmon have full visibility. When any of these providers are tampered with, the corresponding detection category goes dark.

Expand for Deeper Context

The architectural dependency is worth stating explicitly: MDE does not independently observe process creation. It receives process creation events from ETW providers (and kernel callbacks, which are a separate mechanism). If the ETW provider stops generating process creation events, MDE stops seeing new processes. This does not generate an alert — from MDE’s perspective, no new processes were created. The absence of events is indistinguishable from a quiet system.

This is why ETW tampering is classified as defense evasion (MITRE T1562.006 — Impair Defenses: Indicator Blocking). The attacker does not disable the security tool directly (which tamper protection prevents). Instead, the attacker blinds the data source that the security tool depends on. The security tool continues running, continues sending heartbeats, continues appearing healthy in the portal — it just stops receiving the events that would trigger detections.

MDE’s kernel-mode driver provides partial protection against ETW tampering because it uses kernel callbacks (PsSetCreateProcessNotifyRoutine) in addition to ETW. Kernel callbacks are a separate notification mechanism that fires directly in the kernel, independent of ETW. An attacker who patches user-mode ETW providers does NOT blind MDE’s kernel callbacks. But an attacker who can load a vulnerable driver and patch kernel callbacks can blind even MDE’s deepest visibility layer. This is the arms race described in ES1.1 — and the reason the ASR rule “Block abuse of exploited vulnerable signed drivers” exists.

ETW tampering: how attackers blind your EDR

The three primary ETW tampering techniques represent escalating levels of sophistication and impact:

User-mode ETW patching. The attacker patches the EtwEventWrite function in ntdll.dll within their own process. By overwriting the first bytes of the function with a return instruction (ret/0xC3), any ETW event the process attempts to generate returns immediately without writing the event. This blinds ETW-based monitoring for that specific process. Other processes are unaffected — their copies of ntdll.dll are not patched. MDE’s kernel callbacks still observe the process because kernel callbacks are independent of user-mode ETW. This technique evades user-mode ETW consumers but NOT kernel-mode visibility.

Trace session manipulation. An attacker with administrative privileges can stop ETW trace sessions using logman stop "EventLog-Security" or similar commands. This stops the Security event log from receiving events — effectively disabling security auditing. An attacker can also modify trace session parameters to reduce buffer sizes (causing event loss) or disable specific providers within a session. MDE’s sensor runs its own trace session that is protected by tamper protection — an attacker cannot easily stop MDE’s session. But other sessions (Event Log, custom security monitoring) are vulnerable.

Kernel callback removal. The most sophisticated technique. An attacker who can execute kernel code (typically through a vulnerable driver loaded via BYOVD) can locate and remove the kernel callback routines that MDE’s driver registered. Without these callbacks, MDE loses kernel-level process creation, thread creation, and handle operation visibility. This is the “nuclear option” for EDR evasion — it blinds the deepest visibility layer. Defense: HVCI (Hypervisor-Protected Code Integrity) prevents unsigned kernel code from executing, and the ASR rule for vulnerable drivers prevents known exploitable drivers from loading.

Decision Point

Your red team reports they successfully patched ETW in their Cobalt Strike beacon process, causing MDE to miss PowerShell script content from that specific process. Is this a critical finding that requires immediate remediation? It depends on what else MDE can see. User-mode ETW patching blinds the Microsoft-Windows-PowerShell ETW provider for the beacon process — MDE does not receive ScriptBlock events from that process. But MDE’s kernel callbacks still observe the beacon’s process creation, its network connections (the C2 beacon), and its child process creation. The ETW patch hides script CONTENT but not script EXECUTION or network BEHAVIOR. The remediation: ensure kernel-mode visibility is protected (HVCI enabled, vulnerable driver ASR rule in block mode) and build detections that do not rely solely on script content — process chain analysis, network beaconing patterns, and behavioral correlation all function without ETW-based script content.

Try it: enumerate ETW providers on your system
1
2
3
4
5
6
7
8
9

# List active ETW trace sessions
logman query -ets | Select-String "Session Name"

# List security-relevant ETW providers
logman query providers | Select-String "Microsoft-Windows-Security|Microsoft-Windows-Kernel|Microsoft-Windows-PowerShell|Microsoft-Antimalware"

# Check if MDE's ETW session is running
logman query "DiagTrack" -ets 2>$null
logman query "SenseIRTraceSession" -ets 2>$null

The presence of active trace sessions for DiagTrack and MDE-specific sessions confirms that the MDE sensor’s ETW consumption is active. If these sessions are missing, the MDE sensor may not be functioning correctly — investigate sensor health through the MDE portal.

ETW providers that matter for endpoint security

Windows includes hundreds of ETW providers, but a small subset generates the telemetry that MDE and Sysmon depend on for security monitoring. Understanding which providers generate which events helps you recognise what an attacker loses visibility to when they tamper with a specific provider.

Microsoft-Windows-Kernel-Process: generates process creation and termination events. This is the foundation of DeviceProcessEvents in MDE. When an attacker patches this provider, MDE stops receiving new process creation events from the attacker’s process context — the attacker becomes invisible in the process table.

Microsoft-Windows-Kernel-File: generates file creation, modification, and deletion events. This feeds DeviceFileEvents. Tampering with this provider hides file drops and file modifications from MDE’s telemetry.

Microsoft-Windows-Kernel-Network: generates network connection events. This feeds DeviceNetworkEvents. An attacker who patches this provider can establish C2 connections and perform data exfiltration without the connections appearing in MDE’s network telemetry.

Microsoft-Windows-PowerShell: generates PowerShell execution events including ScriptBlock logging (Event ID 4104). This provider is a frequent target for attackers because PowerShell is the primary execution engine for many attack tools. Patching this provider suppresses ScriptBlock logging — the decoded command content is not recorded even when ScriptBlock logging is configured through Group Policy.

Microsoft-Windows-Security-Auditing: generates Windows Security event log events (4624 logon, 4688 process creation, 4672 privilege use). This provider operates through a different mechanism than the kernel ETW providers — it is managed by the Local Security Authority (LSA) and is harder to tamper with from user mode. However, an attacker with SYSTEM privileges can modify the audit policy to suppress specific event categories.

The detection strategy for ETW tampering: monitor for the patching behaviour itself (API calls to EtwEventWrite modification patterns), deploy Sysmon as an independent telemetry channel that uses kernel callbacks rather than ETW subscriptions, and alert on anomalous telemetry gaps (a device that suddenly stops generating process events is suspicious in itself). ES12.4 covers ETW tampering detection in depth.

Compliance Myth: "Our EDR watches everything on the endpoint — there are no blind spots"

The myth: EDR has full visibility into all endpoint activity. If something happens on the endpoint, the EDR sees it.

The reality: EDR visibility depends on the instrumentation that feeds it — primarily ETW providers and kernel callbacks. Both can be tampered with. User-mode ETW patching is a documented, widely-used evasion technique available in most modern C2 frameworks. Kernel callback removal, while more difficult, is achievable through BYOVD attacks. The EDR has visibility into what its instrumentation can observe — which is comprehensive under normal conditions but degradable under adversarial conditions. This is why defense-in-depth matters: ASR rules prevent techniques at the prevention layer (before the attacker needs to evade detection). HVCI protects kernel integrity. Sysmon provides an independent telemetry source. Multiple overlapping visibility sources make it harder for the attacker to blind ALL of them simultaneously.

ETW session architecture and performance implications

ETW sessions are the intermediary between providers and consumers. The kernel maintains buffers for each active session, and events flow from provider → session buffer → consumer. Two session types matter for security:

Real-time sessions deliver events to consumers as they are generated — MDE’s sensor uses real-time sessions for immediate processing. The trade-off: real-time sessions consume kernel memory proportional to event volume, and if the consumer cannot process events fast enough, events are dropped silently. On high-throughput servers generating thousands of events per second, ETW event loss is a real operational concern — events are generated but never reach the security tool. The MDE sensor is optimised for this, but third-party ETW consumers (custom security tools, log forwarders) may not handle high-volume sessions gracefully.

Log file sessions write events to .etl files on disk — the Windows Event Log service uses this mechanism. Events are buffered and flushed periodically. The advantage: no real-time processing bottleneck. The disadvantage: latency between event generation and availability (typically seconds, but longer under heavy IO load). For forensic investigation, both real-time (MDE telemetry) and log file (Windows Event Log, Sysmon Operational log) capture the same events through different paths — providing redundancy when one path fails.

Troubleshooting

“Our Sysmon events stopped appearing in Sentinel but the Sysmon service is running.” Check whether the Sysmon ETW session is active: logman query "EventLog-Microsoft-Windows-Sysmon/Operational" -ets. If the session exists but events are not flowing to Sentinel, the issue is likely in the log forwarding pipeline (Windows Event Forwarding or the Sentinel agent). If the session does not exist, the Sysmon service may be running but its ETW provider may not be generating events — reinstall or reconfigure Sysmon.

“MDE shows ‘Sensor health: Active’ but we are not seeing new process events in Advanced Hunting.” The sensor health check confirms the sensor service is running and communicating with the cloud. It does not confirm that all ETW providers are generating events. Check whether tamper protection is enabled (Settings → Endpoints → Advanced features). If tamper protection is off, an attacker (or misconfigured software) may have disrupted MDE’s trace sessions. Enable tamper protection and restart the sensor service.

Operational Artifact — ETW Protection Checklist

Protect ETW integrity with these controls: (1) Enable HVCI to prevent unsigned kernel code execution — this blocks kernel callback removal via BYOVD exploits. (2) Enable ASR rule “Block abuse of exploited vulnerable signed drivers” in block mode — this prevents BYOVD attacks that are the prerequisite for kernel-level ETW tampering. (3) Enable tamper protection for MDE — this prevents administrative tampering with MDE’s trace sessions and sensor configuration. (4) Deploy Sysmon as an independent telemetry source — if an attacker blinds MDE’s ETW consumption, Sysmon (which uses its own driver and ETW provider) provides fallback visibility. (5) Build a detection rule for ETW tampering indicators: processes that load ntdll.dll and immediately modify its memory regions, logman commands targeting security-relevant trace sessions, or driver loading events for known vulnerable drivers.

An attacker patches the EtwEventWrite function in ntdll.dll within their Cobalt Strike beacon process. Which of the following detection capabilities is affected?
MDE loses all visibility into the process — process creation, network connections, and file writes are all invisible because they all depend on ETW.
MDE loses ETW-based visibility for that specific process — primarily script content from PowerShell/AMSI providers and some user-mode event data. However, MDE's kernel-mode driver uses kernel callbacks (PsSetCreateProcessNotifyRoutine, network callbacks) that are INDEPENDENT of user-mode ETW. The kernel still sees the beacon process's creation, its network connections (C2 beaconing), its child process creation (post-exploitation commands), and file system operations (through minifilter callbacks). The patched ETW function only affects events generated by the beacon process through user-mode ETW — it does not affect kernel-mode observation of the process by MDE's driver. This is why MDE has both user-mode and kernel-mode components: user-mode ETW can be tampered with, kernel-mode callbacks cannot (without kernel-level access).
No detection capability is affected because MDE does not use ETW — it uses its own proprietary instrumentation that is independent of Windows telemetry frameworks.
All processes on the endpoint lose ETW visibility because ntdll.dll is shared across all processes.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →