EzETW — Got To Catch Them All…


EzETW — Got To Catch Them All…

Time flies when you’re a Falcon! It’s been more than a month since I joined the FalconForce crew, and I didn’t find any time to introduce myself. To fix this, I decided to write a blog post and share a little tool along with it…

TL;DR: This post will present the EzETW tool and go over basic Windows events PowerShell cmdlet syntax. If you just came for the tool, you can get it here.

Making the switch from offensive consulting to detection engineering, I get to put my hands on a lot of new stuff. I’m like a pre-COVID kid in a candy shop… And since I come from the world of Windows automation (aka PowerShell), I have the bad habit of creating cmdlets for everything.

In the cloud or on the host, one thing that seems to be a recurring need in the life of a detection engineer, is the need to catch events. In this post, I’ll take a quick dive into catching events on the host with PowerShell.

Cross post from medium.com, please read the full article here:


Direct link to SadProcessor’s Github page: