{"uuid": "f6f807eb-642a-4515-aff3-d91038b16e37", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2015-2291", "type": "seen", "source": "https://gist.github.com/Hassan-Pouladi/689b38b12c766208412f5f6d437e2add", "content": "# The Windows Nervous System, Part I: Discovering Threats with Event Tracing for Windows\n\n*Author: Hassan Pouladi*\n\n## Introduction\n\nAntivirus has long been the gold standard for endpoint security. As the internet grew, so did the threats, turning cybersecurity into a constant battle of attrition. Placing security software at the kernel level gave defenders a critical upper hand. Common threats operate in userland and cannot touch the kernel, allowing antivirus to stop them using the highest authority on the system.\n\nUnfortunately, kernel space is a double-edged sword. One side cuts down threats; the other can cut down the very shields defending the system. To operate at the kernel level, a process needs a signed kernel driver or authorization from a kernel-level process. Threat actors responded by bringing their own drivers; both sides now fought on the same ground.\n\n\n\n\nMicrosoft answered with driver signing, locking the gates of the kingdom so only trusted parties could enter. This effectively shut down the threat of arbitrary unsigned drivers. Yet threat actors found they did not need to break through the lock. They simply needed the right key.\n\nEvery driver on a Windows system must carry a valid digital signature before the kernel will load it. Bring Your Own Vulnerable Driver (BYOVD) turns that requirement into a loophole. Rather than forging a signature, attackers drop a legitimate, already-signed driver onto the target system and exploit a known flaw within it to gain kernel access. The signed driver passes the check cleanly. The malicious payload rides in behind it.\n\nA real-world example is `iqvw64e.sys`, an Intel network adapter diagnostics driver signed and trusted by Windows. It also contains CVE-2015-2291, a vulnerability that allows anyone who loads it to reach directly into kernel memory. Scattered Spider, one of the most destructive hacking groups of recent years, used this exact driver to disable security software and deploy ransomware across dozens of organizations. The driver was not malicious. It was just a door left unlocked.\n\n\n\nDefenders needed something that could monitor these kernel-level threats in real time. Windows already had the answer built in. ETW, or Event Tracing for Windows, is a subsystem within the Windows kernel that records a huge range of system activity and feeds it to a subscriber for processing. Like nerves relaying signals to the brain, ETW captures what is happening across the entire system and makes it available for analysis.\n\n## Event Tracing for Windows\n\nETW is built around the concept of providers. Each provider is responsible for a specific category of system activity, publishing a stream of events that a subscriber can tap into for analysis.\n\nChoosing an ETW provider is like choosing which nerves to listen to. Just as the body has nerves dedicated to specific senses and regions, ETW providers are dedicated to specific data. A security tool subscribes to the providers relevant to what it wants to detect, receiving a focused stream of telemetry rather than undifferentiated noise from the entire system.\n\n### Key Providers for Security Tooling\n\n| Provider | Telemetry |\n|---|---|\n| Microsoft-Windows-Kernel-Process | Process and thread creation, termination, image loads |\n| Microsoft-Windows-Kernel-Network | TCP/UDP connections |\n| Microsoft-Windows-PowerShell | Script block execution, command invocation |\n| Microsoft-Windows-DNS-Client | DNS resolution requests and responses |\n| Microsoft-Windows-Security-Auditing | Logon events, privilege use, object access |\n| Microsoft-Windows-WinInet | HTTP/HTTPS requests from applications using WinINet |\n\n## Modern ETW Applications\n\nETW has always provided a window into the system, giving developers the ability to extract telemetry and check it against known malicious patterns. In the modern era, that window becomes far more powerful when paired with machine learning. Trained models can consume ETW event streams and detect complex malicious patterns that static rules alone would miss.\n\n## Closing Thoughts\n\nModern threats may operate at the kernel level, but ETW is watching. It acts like a nerve relaying signals to the brain, letting the system feel a threat the moment it moves. However, that nerve can be cut. An attacker who reaches the kernel can patch ETW's logging functions or shut down trace sessions entirely, which is why safeguards like tamper protection and Protected Process Light (PPL) exist to shield security tooling. Even so, ETW gives security software the ability to identify where a threat is operating, what it has touched, and how it is moving through the system. Intelligence does not guarantee a win, but it significantly closes the gap between detection and response.\n\n## References\n\n1. CrowdStrike Intelligence Team. \"SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security.\" *CrowdStrike Blog*, January 10, 2023. \n2. National Institute of Standards and Technology. \"CVE-2015-2291 Detail.\" *National Vulnerability Database*. \n3. Microsoft. \"About Event Tracing.\" *Microsoft Learn*. ", "creation_timestamp": "2026-07-03T21:50:47.715545Z"}