The objective of this work package is to develop a methodology for record-based analyses of the Windows 10 Enterprise based on „Event Tracing for Windows (ETW)". Additionally two concrete application areas are presented.
1. A data richness analysis of the Windows Telemetry for concrete scenarios using a record-based analysis
2. A record-based analysis of concrete threat hunting scenarios

• Methodik für ETW-Monitoring (AFUNKT)

Table of Contents

1 Introduction
1.1 Executive Summary
2 Concept and Terms
2.1 Component
2.2 Event Tracing for Windows
2.3 Record Data
2.3 Windows Telemetry
3 Technical Analysis of Functionalities
3.1 Scenario and Component Definition
3.2 ETW Provider Discovery
3.3 Record-Specific Metadata
3.4 Qualitative Analysis of Record Data
4 Exemplary Data Analysis
4.1 Windows Telemtry Data Richness Analysis
4.2 Record-Based Analysis of Threat Hunting Secenarios

Summary

The presented methodology is a four-step process. Initially a non-technical scenario is defined and scoped. From this scenario the technical component is derived and the entities (i.e., binaries) are identified. In the second step Event Tracing for Windows ETW providers for these entities are discovered. In the third step the record-specific metadata for these providers is selected. This allows to record the metadata that represents the scenario. Finally, in the fourth step it is shown how the recorded events can be analyzed.