Event Tracing for Windows (ETW)

1. Deliverable #1: Finding Notepad and File Created using WPA

2. Deliverable #2: Finding Notepad and File Created using PrefView

3. Deliverable #3 - Submit a screenshot of the PowerShell provider output you found

4. Deliverable #4: provide a screenshot of your query mytrace1 output.

5. Deliverable #5: provide a screenshot of your query mytrace1 output showing the provider being added to this trace.

6. Deliverable #6: You are required to do the following (PLEASE READ CAREFULLY):

7. Deliverable #7: provide a screenshot of your query showing that both mytrace1 and mytrace2 are running.

8. Deliverable #8: provide a screenshot of your query showing that both mytrace1 and mytrace2 are no longer running and have been successfully stopped, similar to the output of 1.4.

9. Deliverable #9: You are required to find traces of usage in the mytrace1.etl for all of the following:

10. Deliverable #10: You are required to find PowerShell CmdLet traces of usage in the mytrace2.etl for all of the following:

Deliverable #11: Use the methods and techniques that you have learned so far to analyze this file and find the following:

What was the name of the process that loaded the suspicious DLL?

The process that loaded the suspicious DLL is Process (4656) (4656).

What was the name of the DLL?

The name of the DLL is rundll32.exe.

Where is this suspicious DLL loaded from (file location)?

The file location for the DLL is \Device/HarddiskVolume1\Windows\System32\rundll32.exe

Reflection

Through this lab I gained a better understanding of how Windows tracks and records events, and how to look for them using tools like WPR and WPA. Looking through all the information can be difficult because of the number of events that occur, but learning how to filter through these events is very useful. I feel like I have gained a better understanding of these tools and how they can be used to look for malicious activity.