fibratus icon indicating copy to clipboard operation
fibratus copied to clipboard
verified publisher icon rabbitstack

Watch the ETW kernel logger session

Open rabbitstack opened this issue 4 years ago • 0 comments

We should supervise the status of the NT Kernel Logger ETW session periodically. Some threat actors might sweep and end all running ETW sessions on the machine. If the NT kernel session is terminated, we'll try to start a new one and possibly send an alert indicating that the ETW session was stopped.

rabbitstack avatar Feb 16 '21 14:02 rabbitstack