[BlackHatAsia2026] Hidden Telemetry: Uncovering TraceLogging ETW Providers You're Not Using (Yet)

Transcript

1. Uncovering TraceLogging ETW Providers You’re Not Using (Yet) Asuka Nakajima

   (@AsuNa_jp), Senior Security Research Engineer, Elastic BlackHatAsia 2026 | #BHASIA @BlackHatEvents

2. Asuka Nakajima Founder of CTF for GIRLS (est. 2014 ✓

   First female infosec community in Japan Review Board Member ✓ BlackHatUSA / BlackHatAsia / CODE BLUE Endpoint Security R&D ✓ Especially developing new detection features for EDR Elastic Defend) ✓ 10+ years of experience in cyber security R&D Senior Security Research Engineer, Elastic

3. What is Event Tracing for Windows ETW? Event Tracing for

   Windows ETW A built-in Windows logging and tracing framework that provides detailed visibility into what's happening on a machine by collecting system and application events. DNS Events . Logon Events . API Events . 🤔 !

4. What is Event Tracing for Windows ETW? DNS Events .

   Logon Events . API Events . 🤔 Endpoint Detection and Response EDR EDR Alert . 　ETW is widely leveraged as one of the key telemetry sources for modern EDR products !

5. Key Components of ETW Architecture 1/2 Provider Consumer Session Controller

   Applications and drivers that emit events Applications that receive events Relays events sent from provider, storing them in a buffer Manages trace sessions and providers

6. Session 1 Session 1 Provider 1 eg.Microsoft-Windows-Win32k ETW Provider ENABLED

   Controller Consumer Provider 2 eg.Microsoft-Windows-WMIActivity ETW Provider DISABLED ・・・ ETW Providers ・・・ Enable / Disable Control Data Flow Tracing Sessions Start / Stop Buffer Event Event Trace Files (.etl) Event Event Delivery in real-time Key Components of ETW Architecture 2/2

7. Types of ETW Providers Event Providers Trace Providers MOF* based

   providers Managed Object Format) Manifest-based providers WPP* providers Windows software trace preprocessor) TraceLogging providers Legacy Providers https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing#types-of-providers Administrative, operational ,analytical and debugging purposes (for admin/users) Tracing, diagnostics and debugging purposes (for original developers) Modern Providers ✨

8. Manifest-based vs. TraceLogging: Key Differences Manifest-based TraceLogging Providers typically named

   with dots (e.g. Microsoft.Windows.Firewall). Events identified by name, not ID. Providers typically named with hyphens (e.g. Microsoft-Windows-Firewall). Events have stable numeric IDs. 1 Metadata (provider, event, etc) defined in an XML manifest file. Embedded in the binaryʼs .rsrc section. Self-describing events (no manifest file) Metadata is typically embedded in the binaryʼs .rdata section. 2 Registered & Discoverable: A registry entry is created at install time. Easy to enumerate providers and events via standard tools and APIs. No registration & Not discoverable: No registry entry. No standard tool can list providers / events. 3

9. TraceLogging: Current State of Research TraceLogging providers have significantly less

   publicly available information/research compared to Manifest-based providers. 😲 Note: Search results were retrieved in April 2026.

10. TraceLogging: Current State of Research https://www.youtube.com/watch?v=KDn5XiKODtQ REcon 2019 (Matt Graeber)

    TLGMetadataParser.psm1: https://gist.github.com/mattifestation/edbac1614694886c8ef4583149f53658 Released TraceLogging Metadata Parser TLGMetadataParser.psm1 TraceLogging providers have significantly less publicly available information/research compared to Manifest-based providers.

11. TraceLogging: An Unexplored Goldmine ? 　Manifest-based ( 920+ providers )

    　TraceLogging ( 2600+ providers ) 😲!? Windows 11 (10.0.26200.7705 25H2)

12. 　Manifest-based ( 920+ providers ) 　TraceLogging ( 2600+ providers )

    Windows 11 (10.0.26200.7705 25H2) 🤔 TraceLogging: An Unexplored Goldmine ?

13. TraceLogging Provider: Example Code #include <windows.h> #include <TraceLoggingProvider.h> TRACELOGGING_DEFINE_PROVIDER(g_hProviderA, "My.TLG.ProviderA.Info",

    // ProviderName (0xb3864c38,0x4273,0x58c5,0x54,0x5b,0x8b,0x36,0x08,0x34,0x34,0x71)); // GUID int main(int argc, char* argv[]) { TraceLoggingRegister(g_hProviderA); TraceLoggingWrite(g_hProviderA,"MyEvent1", // EventName 　　　　　　　　　 TraceLoggingString(argv[0],"FirstField"), // Field #1 TraceLoggingInt32(argc, "SecondField"), // Field #2 TraceLoggingString(“Helloworld”,"ThirdField")); // Field #3 TraceLoggingUnregister(g_hProviderA); return 0; } TlgExample.exe

14. PS C:\> New-EtwTraceSession -Name MyProviderATrace -LocalFilePath C:\temp\MyEvents.etl PS C:\> Add-EtwTraceProvider

    -SessionName MyProviderATrace -Guid '{b3864c38-4273-58c5-545b-8b3608343471}' -MatchAnyKeyword 0xFFFFFFFFFFFF -Level 0xFF PS C:\> .\TlgExample.exe PS C:\> Remove-EtwTraceSession -Name MyProviderATrace PS C:\> tracerpt C:\temp\MyEvents.etl -o C:\temp\MyEvents.evtx -of EVTX Capture Events TraceLogging Provider: How to Capture Events

15. MyEvents.evtx TraceLogging Provider: How to Capture Events Event Viewer

16. TraceLogging Provider: Metadata Overview Metadata What the metadata typically contains

    ! ✓ Provider name / Provider GUID / Provider Group GUID ✓ Event name / Level / Keyword / Opcode / Channel • Field names and types ✓ Header / BlobType Information (provider/event/end of metadata) Typically, embedded in .rdata section Note: Details of the metadata blob structure are documented in TraceLoggingProvider.h and TLGMetadataParser.psm1

17. TraceLogging Provider Metadata Microsoft.Windows.Ldap.Client, Wldap32.dll)

18. struct _TraceLoggingMetadata_t { UINT32 Signature; // = _tlg_MetadataSignature = "ETW0"

    45 54 57 30 UINT16 Size; // = sizeof(_TraceLoggingMetadata_t) UINT8 Version; // = _tlg_MetadataVersion 0 UINT8 Flags; // = _tlg_MetadataFlags 64bit = 1, 32bit = 0 UINT64 Magic; // = _tlg_MetadataMagic 86 0E 04 88 2B 05 8A BB }; TraceLogging Provider Metadata Microsoft.Windows.Ldap.Client, Wldap32.dll) Headerʼs Structure Header

19. TraceLogging Provider Metadata Microsoft.Windows.Ldap.Client, Wldap32.dll) Header struct _tlgEventMetadata_t { UINT8

    Type; // = _TlgBlobEvent4 UCHAR Channel; UCHAR Level; UCHAR Opcode; ULONGLONG Keyword; UINT16 RemainingSize; // = sizeof(RemainingSize + Tags + EventName + Fields) }; Event Blobʼs Header Structure (_TlgBlobEvent4) Event Blobʼs Header

20. TraceLogging Provider Metadata Microsoft.Windows.Ldap.Client, Wldap32.dll) 　 UINT8 Tags[]; char EventName[sizeof("eventName")];

    // UTF8 nul-terminated event name for each field { char FieldName[sizeof("fieldName")]; // UTF8 nul-terminated field name UINT8 InType; // TlgIn_t UINT8 OutType; // TlgOut_t UINT8 Tags[]; UINT16 ValueCount; UINT16 TypeInfoSize; char TypeInfo[TypeInfoSize]; } Event Blobʼs Body (_TlgBlobEvent4) Event Blobʼs Body Header Event Blobʼs Header

21. TraceLogging Provider Metadata Microsoft.Windows.Ldap.Client, Wldap32.dll) Event Blobʼs Body Header Event

    Blobʼs Header Event Blobʼs Header Event Blobʼs Body

22. TraceLogging Provider Metadata Microsoft.Windows.Ldap.Client, Wldap32.dll) Event Blobʼs Body Header Event

    Blobʼs Header Event Blobʼs Header Event Blobʼs Body struct _tlgProviderMetadata_t { UINT8 Type; // = _TlgBlobProvider3 GUID ProviderId; UINT16 RemainingSize; // = sizeof(RemainingSize + ProviderName) }; Provider Blobʼs Header (_TlgBlobProvider3) Provider Blobʼs Header

23. TraceLogging Provider Metadata Microsoft.Windows.Ldap.Client, Wldap32.dll) Event Blobʼs Body Header Event

    Blobʼs Header Event Blobʼs Header Event Blobʼs Body char ProviderName[sizeof("providerName")]; // UTF8 nul-terminated provider name for each additional chunk of metadata { UINT16 ChunkSize; UINT8 ChunkType; UINT8 ChunkData[ChunkSize - 3; } Provider Blobʼs Header Provider Blobʼs Body (_TlgBlobProvider3) Provider Blobʼs Body

24. TraceLogging Provider Metadata Microsoft.Windows.Ldap.Client, Wldap32.dll) Event Blobʼs Body Header Event

    Blobʼs Header Event Blobʼs Header Event Blobʼs Body Provider Blobʼs Header Provider Blobʼs Body End of Metadata (_TlgBlobEnd = 0x1

25. TraceLogging Provider Metadata Microsoft.Windows.Ldap.Client, Wldap32.dll) Event Blobʼs Body Header Event

    Blobʼs Header Event Blobʼs Header Event Blobʼs Body Provider Blobʼs Header Provider Blobʼs Body End of Metadata (_TlgBlobEnd = 0x1 … Header Metadata blob (.rdata) Event A Event B Event C Provider 1 Provider 2 … _tlgProvider_t (.data) struct _tlgProvider_t { UINT32 LevelPlus1; UINT16 const UNALIGNED ProviderMetadataPtr; ULONGLONG KeywordAny; ULONGLONG KeywordAll; …. }; Runtime Provider State Structure) Event write (.text )

26. The Missing Link: Event-to-Provider Ownership Header Metadata blob Event A

    Event B Event C Provider 1 Provider 2 Provider 1 Provider 2 Event A Event B Event C Provider 1 Provider 2 Event A Event B Event C or ! Metadata blob has no ownership markers between events and providers …

27. The Missing Link: Event-to-Provider Ownership Header Metadata blob Event A

    Event B Event C Provider 1 Provider 2 Provider 1 Provider 2 Event A Event B Event C Provider 1 Provider 2 Event A Event B Event C or ! Metadata blob has no ownership markers between events and providers ! … Parsing the metadata blob . alone isn't enough!.

28. Mapping Events to Providers: Two Approaches Static Binary Analysis Capture

    at Runtime No execution needed Theoretically covers all events Easy to set up Events that donʼt fire during execution are invisible Manual analysis is time consuming and labor-intensive ✅ ✅ ✅ ❌ ❌ 1. Start Trace Session 2. Run Binary 3. Observe Events App 0101000 0101010 0101010

29. TLGMapper: Automating the Static Analysis Provider Event Name

30. TLGMapper: How it Works Stage A Stage A  Metadata

    Extraction Stage B Provider-Event Resolution A1: Header signature/magic scanning A2: Metadata blob parsing (mainly to collect event data addr and provider info) A3: Resolve provider struct (_tlgProvider_t) locations and store their addresses Binary file PE Scan Header Event A Event B Provider 1 Provider 2 _tlgProvider_t Provider1 _tlgProvider_t Provider2 prov struct addr event data addr

31. TLGMapper: How it Works Stage B Stage A  Metadata

    Extraction Stage B Provider-Event Resolution B1: Sweep all functions for data refs (+call refs) Function event data addr prov struct addr 0x140398b80… (Provider1) 0x140398cc0… (Provider2) 0x14036423A…(EventA) 0x14036419A…(EventB)

32. TLGMapper: How it Works Stage B Stage A  Metadata

    Extraction Stage B Provider-Event Resolution B1: Sweep all functions for data refs (+call refs) Function event data addr prov struct addr 0x140398b80… (Provider1) 0x140398cc0… (Provider2) 0x14036423A…(EventA) 0x14036419A…(EventB) Found event refs !

33. TLGMapper: How it Works Stage B Stage A  Metadata

    Extraction Stage B Provider-Event Resolution B1: Sweep all functions for data refs (+call refs) Function event data addr prov struct addr Found provider refs ! 0x140398b80… (Provider1) 0x140398cc0… (Provider2) 0x14036423A…(EventA) 0x14036419A…(EventB)

34. TLGMapper: How it Works Stage B Stage A  Metadata

    Extraction Stage B Provider-Event Resolution B1: Sweep all functions for data refs (+call refs) Function event data addr prov struct addr Found call refs 0x140398b80… (Provider1) 0x140398cc0… (Provider2) 0x14036423A…(EventA) 0x14036419A…(EventB) !

35. TLGMapper: How it Works Stage B Stage A  Metadata

    Extraction Stage B Provider-Event Resolution B2: Resolution priority chain (per event) — first match wins, then stop 🥇 1 Single Provider 🥈 2 Direct-Preceding 🥉 3 Direct-Nearest 🔗 4 CallGraph-dN ❓5 Unknown Binary contains only one provider Provider ref appears before the event ref in the same function Closest provider ref by address in the same function DFS through callees (max depth: 3, searching backward first No provider could be resolved

36. BlackHatAsia 2026 | #BHASIA @BlackHatEvents DEMO Time! ✨

37. None

38. BlackHatAsia 2026 | #BHASIA @BlackHatEvents Surveying TraceLogging Providers Across Windows

39. TraceLogging Providers Survey: Target Binary Files ❖ Target OSs ➢

    Windows 11, 10.0.26200.7705 25H2 ➢ WindowsServer 2025, 10.0.26100.32230 ❖ Target Directories ➢ C:\Windows\* ➢ C:\Program Files\* ➢ Excluded “WinSxSˮ directory ❖ Target Files ➢ .exe/.dll/.sys 64-bit only) * ➢ Win11 Total 2564 files / WinSvr2025 Total 2342 files Identified binaries containing TraceLogging providers using TLGMetadataParser.psm1 Performed Provider-Event mapping with TLGMapper * Note: A small number of TraceLogging provider binaries were excluded due to file permission issues.

40. Windows 11 2672 providers Windows Server 2025 2469 providers 64000

    unique events ver. 10.0.26200.7705 25H2 Result: Overall TraceLogging Providers / Events ver. 10.0.26100.32230 73000 unique events

41. Windows 11 vs. Windows Server 2025 Win11 Server2025 2672 2469

    # of Providers Overlapped Providers 2453 219 16

42. Windows 11 vs. Windows Server 2025 Win11 Server2025 2672 2469

    # of Providers Overlapped Providers 2453 219 16 Windows 11: Richer consumer/client-oriented features Microsoft.FamilySafety.* Microsoft.Windows.FamilySafety.* Microsoft.Xbox.* Microsoft.Windows.Xbox.* Microsoft.Windows.Onecore.WebThreatDefence.* Microsoft.Windows.Security.Biometrics.*

43. Windows 11 vs. Windows Server 2025 Win11 Server2025 2672 2469

    # of Providers Overlapped Providers 2453 219 16 Windows 11: Richer consumer/client-oriented features Windows Server 2025: Server-oriented features Microsoft.FamilySafety.* Microsoft.Windows.FamilySafety.* Microsoft.Xbox.* Microsoft.Windows.Xbox.* Microsoft.Windows.Onecore.WebThreatDefence.* Microsoft.Windows.Security.Biometrics.* Microsoft.Windows.AzureArcSetup Microsoft.Windows.SrvInitConfigProvider

44. TraceLogging ( 2600+ ) Manifest-based (920+) What Drives the 920+

    vs. 2600 Gap?

45. What Drives the 920+ vs. 2600 Gap? Application Manifest-based TraceLogging

    notepad.exe ×None Microsoft.Notepad calc.exe ×None MicrosoftCalculator wextract.exe ×None Microsoft.Windows.Wextract 😲 Recap ❖ Manifest-based: User/Admin-facing telemetry ❖ TraceLogging: Developer-focused telemetry

46. What Drives the 920+ vs. 2600 Gap? Application Manifest-based TraceLogging

    notepad.exe ×None Microsoft.Notepad calc.exe ×None MicrosoftCalculator wextract.exe ×None Microsoft.Windows.Wextract 😲 My guess is that Microsoft does not create Manifest-based providers for logs that are not considered useful to users/admins.　 Microsoft starts with TraceLogging and only adds Manifest-based provider(s) later if the logs appear useful. First creates a TraceLogging provider, and then adds a Manifest-based provider if the logs also appear useful to users/admins? AND / OR

47. Doppelgänger Providers 🤔? ? ? Microsoft-Windows Ldap-Client Microsoft.Windows. Ldap.Client Manifest-based

    TraceLogging

48. Microsoft-Antimalware-Scan-Interface Microsoft-Windows-Firewall Microsoft-Windows-SmartScreen Microsoft-Windows-Ldap-Client Microsoft-Antimalware-Scan-Interface Microsoft-Windows-Security-Kerberos Microsoft-Windows-Security-Netlogon Microsoft-Windows-Kernel-Registry Microsoft-Windows-Kernel-Dump Microsoft-Windows-TaskScheduler

    Microsoft.Antimalware.Scan.Interface Microsoft.Windows.Firewall Microsoft.Windows.SmartScreen Microsoft.Windows.Ldap.Client Microsoft.Antimalware.Scan.Interface Microsoft.Windows.Security.Kerberos Microsoft.Windows.Security.Netlogon Microsoft.Windows.Kernel.Registry Microsoft.Windows.Kernel.Dump Microsoft.Windows.TaskScheduler Manifest-based TraceLogging Doppelgänger Providers Examples)

49. Ldap Client Providerʼs Events Manifest vs. TraceLogging) Microsoft-Windows-Ldap-Client Microsoft.Windows.Ldap.Client ✓

    LdapBindStatistics ✓ LdapReceiveStatistics ✓ Event ID 1  29, 31 ▪ Ldap client trace events ✓ Event ID 30 ▪ Ldap search API event • ScopeOfSearch • SearchFilter • DistinguishedName • AttributeList • ProcessId

50. Microsoft-Antimalware-Scan-Interface Microsoft.Antimalware.Scan.Interface AMSI Providerʼs Events Manifest vs. TraceLogging) ✓ AmsiProvider

    ✓ AmsiProviderFailTrust ✓ AmsiScan • PartA_PrivTags • ProviderIndex • Guid • Duration • Hr • Result ✓ AmsiUacScan ✓ Event ID 1101 ▪ AmsiScanBuffer event • session • scanStatus • scanResult • appname • contentname • contentsize • original size • content • hash • contentFiltered • hashoriginalcontent

51. Microsoft-Antimalware-Scan-Interface Microsoft.Antimalware.Scan.Interface AMSI Providerʼs Events Manifest vs. TraceLogging) ✓ AmsiProvider

    ✓ AmsiProviderFailTrust ✓ AmsiScan • PartA_PrivTags • ProviderIndex • Guid • Duration • Hr • Result ✓ AmsiUacScan ✓ Event ID 1101 ▪ AmsiScanBuffer event • session • scanStatus • scanResult • appname • contentname • contentsize • original size • content • hash • contentFiltered • hashoriginalcontent Microsoft-Antimalware-UacScan provider has a UacScan event, which contains richer fields than AmsiUacScan

52. Advantages of TraceLogging Providers 1/4 Manifest-based TraceLogging LOSE.. ? 🤔

53. One of the key strengths is their broader coverage TraceLogging

    Manifest-based 2600 920 Note: Results of the analysis of providers with the same or similar names in Manifest-based and TraceLogging: https://github.com/AsuNa-jp/TLGMapper/blob/main/misc/OverlappedProviders/OverlappedProviders.md Advantages of TraceLogging Providers 2/4

54. • Microsoft.Windows.UDK.WindowsCopilot • Microsoft.Windows.Shell.WindowsCopilot • Microsoft.Windows.Desktop.CopilotHotkeyManager • Microsoft.Windows.Desktop.AIAssistance • Microsoft.Windows.AI.Platform

    • Microsoft.Windows.AI.MachineLearning • Microsoft.Windows.AI.WindowsMLRuntime • Microsoft.Windows.AIFabric Copilot / AI-related providers Advantages of TraceLogging Providers 3/4

55. • Microsoft.Windows.UDK.WindowsCopilot • Microsoft.Windows.Shell.WindowsCopilot • Microsoft.Windows.Desktop.CopilotHotkeyManager • Microsoft.Windows.Desktop.AIAssistance • Microsoft.Windows.AI.Platform

    • Microsoft.Windows.AI.MachineLearning • Microsoft.Windows.AI.WindowsMLRuntime • Microsoft.Windows.AIFabric Copilot / AI-related providers EventNames Fields CopilotLaunch • FormCode • PartA_PrivTags SendFileWithConfirmationBehavior • PartA_PrivTags SendPromptWithConfirmationBehavior • PartA_PrivTags Advantages of TraceLogging Providers 3/4

56. • Microsoft.Windows.UDK.WindowsCopilot • Microsoft.Windows.Shell.WindowsCopilot • Microsoft.Windows.Desktop.CopilotHotkeyManager • Microsoft.Windows.Desktop.AIAssistance • Microsoft.Windows.AI.Platform

    • Microsoft.Windows.AI.MachineLearning • Microsoft.Windows.AI.WindowsMLRuntime • Microsoft.Windows.AIFabric Copilot / AI-related providers EventNames Fields FeatureEnablement • featureName • userEnabled • FeatureEnabledReason • windowsEnabled • FeatureEnabledReason WindowsCopilotSessionS ummaryEvent • PartA_PrivTags • componentName • endApplication • actionNamesCompleted • actionCompleted • resultKeptNeedsEvaluation • featureName • startApplication • featureIdentifiersSeen • featureViewed • durationMs • resultKept Advantages of TraceLogging Providers 3/4

57. User Choice Protection Driver • Microsoft.Windows.Kernel.UCPD Win32 App Isolation •

    Microsoft.Windows.Security.IsolationApi Providers related to relatively new features Examples) Advantages of TraceLogging Providers 4/4

58. User Choice Protection Driver • Microsoft.Windows.Kernel.UCPD Win32 App Isolation •

    Microsoft.Windows.Security.IsolationApi Providers related to relatively new features Examples) EventNames (an excerpt) DefBrowserModify CopilotModify FakeMSApp OfficeModify UIAAttack Advantages of TraceLogging Providers 4/4

59. User Choice Protection Driver • Microsoft.Windows.Kernel.UCPD Win32 App Isolation •

    Microsoft.Windows.Security.IsolationApi Providers related to relatively new features Examples) 🤔 Keep in mind that, because these are intended for developers, the event contents may change. Might be useful for detecting attacks against new features? Advantages of TraceLogging Providers 4/4

60. BlackHatAsia 2026 | #BHASIA @BlackHatEvents Examples of Useful Providers From

    a Security Perspective

61. AttackSurfaceMonitor: Provider Overview Provider Binary File: Use Cases: ✓ C:\Windows\System32\ntoskrnl.exe

    Windows Kernel) ✓ Ast.DeviceCreated IoCreateDevice API • Important Fields - DeviceName/DeviceType/DeviceCharacteristics/DeviceObject ✓ Ast.DeviceSDDLChanged IoCreateDeviceSecure API ✓ Ast.IoctlCalled DeviceIoControl API • Important Fields - DeviceObject/IoControlCode/DeviceNameTailHash ✓ Suspicious IOCTL-based device driver abuse detection BYOVD and legitimate feature misuse) Provider GUID c4e507b1-7224-4737-bde0-ced9284e7073 Useful Event(s):

62. AttackSurfaceMonitor: Event Details 1/4 KDU by hfiref0x https://github.com/hfiref0x/KDU > kdu.exe

    -dse 0 -prv 59 Load and abuse a vulnerable driver IPCType.sys)

63. Ast.DeviceCreated Event IoCreateDevice API DeviceName: \Device\IPCType AttackSurfaceMonitor: Event Details 2/4

64. Ast.DeviceSDDLChanged Event IoCreateDeviceSecure API AttackSurfaceMonitor: Event Details 3/4

65. Ast.IoctlCalled Event DeviceIoControl API IoControlCode: 2148540480 (0x80102040) #define IOCTL_IPCTYPE_MAPBUFFER CTL_CODE(IPCTYPE_DEVICE_TYPE,

    \ IPCTYPE_MAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) // 0x80102040 https://github.com/hfiref0x/KDU/blob/master/Source/Hamakaze/idrv/ipcdec.h Map buffer IOCTL code AttackSurfaceMonitor: Event Details 4/4

66. AttackSurfaceMonitor: Behavior Detection Rule api where process.Ext.api.name == "DeviceIoControl" and

    process.Ext.api.parameters.device : "\\Device\\com_microsoft_idna_ProcLaunchMon" and /* IOCTL 0x228034 to suspend a PID */ process.Ext.api.parameters.io_control_code == 2261044 and not _arraysearch(process.thread.Ext.call_stack_final_user_module.code_signature, $caller, $caller.trusted == true) Rule Name: Process Suspended via TTD Monitor Driver https://github.com/elastic/protections-artifacts/blob/fc8633fd1aca367bd7e986a2e62f6851b150ad8f/behavior/rules/windows/defense_ev asion_process_suspended_via_ttd_monitor_driver.toml

67. Microsoft.Windows.Kernel.SysEnv: Provider Overview Provider Binary File: Use Cases: ✓ C:\Windows\System32\ntoskrnl.exe

    Windows Kernel) ✓ GetVariable and SetVariable • Important Fields - variableName/vendorGuid/attributes/status ✓ BootKit/SecureBoot Bypass Detection • Detect reconnaissance reads of SecureBoot status via GetVariable • Monitor SetVariable calls targeting UEFI variables for anomalous write patterns Provider GUID a9fdf37b-d72d-4051-a3cd-d422103ce079 Useful Event(s):

68. Microsoft.Windows.Kernel.SysEnv: Event Details * Note: This event was triggered on

    Windows 11 build 10.0.26200.8037. Example of SecureBoot Status Recon PS C:\> Get-SecureBootUEFI -Name SecureBoot GetVariable Event

69. Microsoft.Windows.ShellExecute: Provider Overview Provider Binary File: Useful Event(s): Use Cases:

    ✓ C:\Windows\System32\windows.storage.dll Provider GUID 382b5e24-181e-417f-a8d6-2155f749e724 ✓ ShellExecuteExW • Important Fields - lpVerb/lpFile/lpParameters/lpDirectory/fMask/ nShow/hwnd/lpClass ✓ Detect suspicious, hidden, or indirect process launches via ShellExecuteExW

70. Microsoft.Windows.ShellExecute: Event Details ShellExecuteExW Event IpFile: C:\WINDOWS\system32\calc.exe IpParameters: dummyArg Default

    fMask for Run Dialog?* Note: On both Windows 11 and Server 2025, this mask was consistently observed when executing via the Run dialog. 🤔 Might be useful for detecting ClickFix-style attacks?

71. Interesting Providers I Havenʼt Explored Yet Microsoft.Windows.Security.BCrypt Microsoft.Windows.Firewall.API Microsoft.Windows.Security.Ncrypt Microsoft.Windows.Kernel.Security

    Microsoft.Windows.Security.TokenBroker Microsoft.Windows.Kernel.Registry Microsoft.Windows.Security.PlatformCryptoProvider Microsoft.Web.Platform Microsoft.Windows.Security.Certificates Microsoft.Windows.App.Browser Microsoft.Windows.Security.CAPI Microsoft.Windows.ComOleAut32 Microsoft.Windows.Security.Wldp Microsoft.AAD.Runtime Microsoft.Windows.Security.Shutinit Microsoft.Windows.Networking.DNS Microsoft.Windows.Security.Kerberos Microsoft.Windows.Networking.WFP.User Microsoft.Windows.Security.CodeIntegrity.Wintrust CombaseTraceLoggingProvider

72. https://github.com/AsuNa-jp/TLGMapper New Release! BlackHatAsia 2026 | #BHASIA @BlackHatEvents TLGMapper.py —

    IDA python script for TraceLogging event-to-provider resolution (tested with IDA pro 8.x+) Per-provider event catalog — Event details organized by provider Raw extracted data for each binary CSV files)

73. ✉ : [email protected] X : @AsuNa_jp BlackHatAsia 2026 | #BHASIA

    @BlackHatEvents Thank you!