By rssfeeds-admin 
The threat actor had used advanced anti‑forensic techniques, deleting files, clearing logs, and obfuscating binaries, to conceal their activity and prevent malware analysis.
However, analysts discovered unexpected remnants of the attack inside an obscure Windows telemetry file named AutoLogger‑Diagtrack‑Listener.etl, shedding light on a previously undocumented forensic resource.
The file, located under %ProgramData%MicrosoftDiagnosisETLLogsAutoLogger, is generated by the Event Tracing for Windows (ETW) subsystem, a built‑in Microsoft feature that records detailed system events with low-performance crashes.
ETW uses providers such as the kernel and network stack to log structured binary data into Event Trace Log (ETL) files. Modern EDR products often subscribe directly to ETW streams to monitor process activity in real time.
FGIR’s analysis revealed that the AutoLogger‑Diagtrack‑Listener.etl file, generally associated with Microsoft’s Connected User Experiences and Telemetry (DiagTrack) service, contained traces of deleted executables.
Process‑creation events in the KernelProcess → ProcessStarted stream included valuable metadata process IDs, user SIDs, command‑line arguments, and executable paths information, typically erased during anti‑forensic cleanup.
Evidence of Deleted Malware and Testing Results
Investigators traced the execution of malicious binaries, including a ransomware payload named svhost.exe that encrypted remote drives and a renamed version of the rootkit tool GMER (gomer.exe).
Even though the attacker had deleted these files, their activity persisted within the binary ETL log, providing crucial evidence of execution.
To better understand this behavior, FortiGuard researchers conducted controlled tests on Windows Server 2022 and Windows 11 systems.
By increasing telemetry verbosity via the AllowTelemetry registry key and manually starting the AutoLogger‑Diagtrack‑Listener session using PowerShell and logman, they were able to recreate the ETL file.
However, despite successful activation, the file remained empty, implying that its population depends on undocumented internal triggers within the DiagTrack service.
The findings suggest that AutoLogger‑Diagtrack‑Listener.etl may be an overlooked forensic artifact that preserves historical process data even after extensive log tampering.
FGIR encourages further research to determine the precise conditions under which the DiagTrack service populates the file, as this may offer defenders a valuable secondary evidence source when conventional logs are erased.
Fortinet emphasized that its FortiEDR, FortiAnalyzer, and FortiSIEM solutions already leverage native Windows telemetry, including ETW events, to detect unauthorized process execution and correlate suspicious activity across endpoints.
Organizations using the Fortinet Security Fabric can thus benefit from extended visibility and improved detection of attackers hiding within the OS itself.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post FortiGuard Team Finds Unexpected Forensic Artifacts Buried in Windows Telemetry Logs appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.