ETW Archives

Winsage

May 11, 2026

Rustinel: Open-source endpoint detection for Windows and Linux

Open-source endpoint detection tools have typically been divided between Windows and Linux, with Windows solutions focused on Sysmon and Linux solutions on eBPF or auditd. Rustinel is a Rust-based endpoint agent that consolidates these efforts by gathering telemetry from both operating systems using ETW on Windows and eBPF on Linux, normalizing the data into a unified model. It evaluates the information against Sigma rules, YARA signatures, and atomic indicators of compromise, storing alerts in ECS-compatible NDJSON format for integration with SIEM or log-analysis platforms. Rustinel supports a range of events on Windows, including process creation, network activity, and PowerShell executions, while Linux support currently includes process, network, file, and DNS telemetry. It operates in user mode on both platforms, requiring specific conditions for installation. Unlike commercial EDR solutions that use kernel drivers, Rustinel's user-mode design prioritizes simplicity and stability, although it acknowledges limitations in tamper resistance and visibility. The agent utilizes three detection engines: Sigma for behavioral matching, YARA for scanning executables, and an IOC engine for deterministic checks. While it leverages existing content familiar to defenders, it has coverage gaps for certain advanced threats. Rustinel is available on GitHub under the Apache 2.0 license.

Winsage

April 25, 2026

New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions

PhantomRPC is a significant architectural vulnerability in the Windows Remote Procedure Call (RPC) framework that allows local privilege escalation to SYSTEM-level access across all Windows versions. Discovered by Kaspersky's Haidar Kabibo at Black Hat Asia 2026, this vulnerability stems from the RPC runtime's failure to verify the legitimacy of a responding server during calls to offline or disabled servers. Attackers can exploit this by setting up a malicious RPC server that impersonates a legitimate endpoint, using the RpcImpersonateClient API to escalate privileges from low-privileged accounts to SYSTEM or Administrator levels. Five distinct exploitation paths have been identified: 1. gpupdate.exe coercion: An attacker can intercept an RPC call made by the Group Policy Client service when executing gpupdate /force, granting SYSTEM-level access if TermService is disabled. 2. Microsoft Edge startup: Launching msedge.exe triggers an RPC call to TermService, allowing privilege escalation from Network Service to Administrator via a spoofed endpoint. 3. WDI background service: The Diagnostic System Host polls TermService regularly, enabling an attacker to exploit this without user interaction. 4. ipconfig.exe and DHCP Client: Running ipconfig.exe initiates an RPC call to the DHCP Client service, allowing a Local Service attacker to elevate privileges if DHCP is disabled and a fake server is present. 5. w32tm.exe and Windows Time: An attacker can expose a named pipe endpoint, allowing them to impersonate any privileged user executing the Windows Time executable. The vulnerability was reported to Microsoft on September 19, 2025, but Microsoft categorized it as moderate severity and closed the case without a patch, as the attack requires SeImpersonatePrivilege, which is granted by default to certain accounts. Organizations are advised to implement defensive measures such as enabling RPC monitoring, ensuring legitimate services are running, and restricting SeImpersonatePrivilege. Kaspersky has provided tools for auditing environments for exploitable RPC call patterns through the PhantomRPC GitHub repository.

Winsage

January 29, 2026

Swarmer Tool Evading EDR With a Stealthy Modification on Windows Registry for Persistence

Praetorian Inc. has launched Swarmer, a tool that enables low-privilege attackers to maintain stealthy persistence in the Windows registry while avoiding detection by Endpoint Detection and Response (EDR) systems. Swarmer uses mandatory user profiles and the Offline Registry API to modify the NTUSER hive without triggering standard registry hooks. It operates by creating an NTUSER.MAN file that replaces the NTUSER.DAT hive upon user login, allowing low-privilege users to manipulate registry settings without alerting EDR tools. Swarmer employs functions from Microsoft’s Offline Registry Library, enabling it to perform operations without invoking Reg* API calls, thus evading detection mechanisms. Swarmer's workflow involves exporting the HKCU registry, modifying it, and executing the tool with specific commands to place the modified NTUSER.MAN file into the user profile. It can be used as an executable or a PowerShell module. While it presents a novel method for persistence, Swarmer has limitations, such as being unable to update without admin access and requiring user login to activate. Detection strategies include monitoring for NTUSER.MAN file creation and Offreg.dll usage in non-standard processes.

Tech Optimizer

October 10, 2025

From infostealer to full RAT: dissecting the PureRAT attack chain

An investigation revealed that a Python-based infostealer campaign led to the deployment of PureRAT, a sophisticated remote access trojan (RAT). The campaign began with a phishing email containing a ZIP archive that included a legitimate PDF reader executable and a malicious DLL. The DLL executed a series of payloads, including a Python info-stealer that harvested sensitive data and exfiltrated it via the Telegram API. The attack progressed to a .NET executable, which employed techniques like process hollowing and evasion tactics to load additional payloads. The final payload, Mhgljosy.dll, was identified as PureRAT, which established an encrypted command-and-control (C2) channel and allowed for extensive control over the compromised host. The C2 server was traced to Vietnam, suggesting a connection to the PXA group. The malware's functionality included host fingerprinting, command execution, and potential access to sensitive information and resources. Indicators of compromise included specific file hashes, registry keys, and IP addresses associated with the C2 server.

Winsage

September 26, 2025

LNK Malware Leverages Legit Windows Files to Slip Past Defenses

Threat actors from Israel have reintroduced the use of Windows shortcut (.LNK) files to deliver a Remote Access Trojan (RAT). Victims are lured to download a file named “cyber security.lnk” from a Discord channel, which opens a decoy PDF while executing a PowerShell script in the background. The script uses odbcconf.exe to register and execute a malicious DLL (Moq.dll) and its supporting libraries. The RAT can collect system metrics, capture screenshots, upload files via the Dropbox API, and execute commands from a command-and-control (C2) server. It ensures persistence by modifying a registry key to launch on user login. Mitigation strategies include monitoring the execution of legitimate binaries, enforcing application whitelisting, and educating users about the risks of downloading files from untrusted sources.

Tech Optimizer

September 25, 2025

LNK Malware Leverages Windows Binaries to Evade Security Tools and Run Malicious Code

Cybersecurity researchers have identified a malware campaign utilizing Windows shortcut (.LNK) files distributed via Discord to deploy a Remote Access Trojan (RAT). The malicious file, named “cyber security.lnk,” lures users with a fake job offer PDF while executing PowerShell commands in the background. It displays a decoy document titled “Cyber Security.pdf” to distract victims during the infection process. The malware exploits the legitimate Windows utility odbcconf.exe to execute a malicious DLL named Moq.dll without triggering security alerts. A PowerShell script extracts a ZIP file containing the payload and runs it using the command: odbcconf.exe /a {regsvr "C:UsersPublicNugetmoq.dll"}. This approach bypasses standard security measures by utilizing trusted binaries. Moq.dll employs advanced evasion techniques, including modifying the AmsiScanBuffer function to disable the Anti-Malware Scan Interface (AMSI) and altering the EtwEventWrite function in ntdll.dll to prevent monitoring through event logs. The malware ensures persistence by modifying the Windows registry to run with explorer.exe at user login and communicates with its command and control server at hotchickenfly.info. The RAT can capture screenshots, gather system information, and exfiltrate data via Dropbox’s API, using AES encryption for its communications. This threat was first observed in Israel and highlights the trend of malware authors leveraging legitimate Windows tools to evade detection. Security researchers from K7 Labs have identified the malware and recommend application whitelisting and monitoring of LOLBin usage as countermeasures. Indicators of Compromise (IOCs) include specific hash values associated with the Trojan.

Tech Optimizer

July 7, 2025

XWorm RAT Deploys New Stagers and Loaders to Bypass Defenses

The XWorm Remote Access Trojan (RAT) has evolved its attack strategies by incorporating advanced stagers and loaders to evade detection. It is known for its capabilities, including keylogging, remote desktop access, data exfiltration, and command execution, and is particularly targeted at the software supply chain and gaming sectors. Recent campaigns have paired XWorm with AsyncRAT for initial access before deploying ransomware using the leaked LockBit Black builder. XWorm utilizes various file formats and scripting languages for payload delivery, often through phishing campaigns with deceptive lures like invoices and shipping notifications. It employs obfuscation techniques, including Base64 encoding and AES encryption, and manipulates Windows security features to avoid detection. Persistence mechanisms such as registry run keys and scheduled tasks ensure sustained access. XWorm conducts system reconnaissance, queries for antivirus software, and attempts to disable Microsoft Defender. It can propagate via removable media and execute commands from command-and-control servers. The Splunk Threat Research Team has developed detections for suspicious activities related to XWorm infections. Indicators of compromise include various file hashes for different scripts and loaders associated with XWorm.

Tech Optimizer

November 15, 2024

JPCert Details on Event Tracing Over EventLog for Windows Forensics

EventLogs are essential for Windows operating system forensics but have limitations in identifying suspicious activities, necessitating additional audit logs or tools like Sysmon. Event Tracing for Windows (ETW) is a significant feature that enhances Windows forensics by collecting and managing EventLogs. ETW consists of four components: Providers (which generate events), Consumers (which process events), Sessions (which relay events), and Controllers (which manage sessions). ETW logs a wide range of operating system behaviors, making it valuable for forensic investigators. Notable ETW providers for incident investigation include Microsoft-Windows-Threat-Intelligence, Microsoft-Windows-DNS-Client, Microsoft-Antimalware-AMFilter, Microsoft-Windows-Shell-Core, Microsoft-Windows-Kernel-Process, and Microsoft-Windows-Kernel-File. Some ETW events are saved as files, while others are accessed in real-time from buffers, allowing for the recovery of information even if ETL files are deleted. JPCert has developed an ETW Scanner plugin for Volatility to extract ETW events from memory images, aiding incident response. The LwtNetLog ETW session collects network-related data, helping investigators identify malware communication and other activities. ETW's detailed logging capabilities and tools like the ETW Scanner enhance the ability to detect threats that traditional logging methods may miss.