TiEtwAgent project was created to research, build and test different memory injection detection use cases and bypass techniques. The agent utilizes Microsoft-Windows-Threat-Intelligence event tracing provider, as a more modern and stable alternative to Userland-hooking, with the benefit of Kernel-mode visibility.
The project depends on the microsoft/krabsetw library for ETS setup and consumption.
An accompanying blog post can be found here: https://blog.redbluepurple.io/windows-security-research/kernel-tracing-injection-detection
Adding New Detections
Detection functions can be easily added in DetectionLogic.cpp, and called from detect_event(GenericEvent evt) for any source event type. Support for new event fields can be easily added by appending their name to the map in GenericEvent class declaration.
Setup Instructions
Assuming you do not have a Microsoft-trusted signing certificate:
In the realm of remote desktop management, evilrdp stands out as a powerful tool designed…
wa-tunnel is an innovative tool designed to tunnel TCP data through two WhatsApp accounts, leveraging…
Deepfake apps are sophisticated tools that utilize advanced AI algorithms, particularly Generative Adversarial Networks (GANs),…
Subdominator is a lightweight and fast tool designed for passive subdomain enumeration, primarily used in…
A critical vulnerability, CVE-2025-29927, has recently been identified in the Next.js ecosystem, allowing attackers to…
The Awesome-Redteam repository is a comprehensive collection of tools and resources designed for red teaming…