Logging user SID for file and registry events?

[cocowalla]

I've only read the docs so far, but Fibratus looks great!

I'm new to ETW, so am not sure if this is feasible, but I was wondering if it was possible to capture user information, for file and registry events in particular, to know who was responsible for the change. In log examples I see the process ID is logged by Fibratus, so presumably I could get the SID of the user the process is running as - but I think this has some big limitations:

1. If the process ends immediately after the ETW event was logged, trying to get the SID would obviously not be possible

2. A process can be started by UserA, and then use per-thread impersonation to perform actions in the context of another user - I wouldn't want to wrongly attribute a change to a different user

3. I've no clue how this would work for operations by remote users, such as someone writing a file to an SMB share

Curious to know what you think?

[rabbitstack]

Hey @cocowalla! Thanks.

During bootstrap, Fibratus builts a snapshot of running processes that are published on behalf of the NT Kernel Logger provider. Each process in the snapshot contains the SID as reported by the ETW provider.

You can customize the console output template to show the security identifier associated with the process that triggers an event or you can filter based on the SID (e.g. ps.sid = 'domain\\NT AUTHORITY'). I think that it would be even better to have two different fields for filtering - ps.user and ps.domain.

Do you know if there is a way to know if the thread was impersonated? The OpenThreadToken Win32 API obtains the thread access token, so, maybe there is a way around it.

Regarding writing to SMB shares, I'm not really sure what would be the involved SID but could probably check that out.