We should supervise the status of the NT Kernel Logger ETW session periodically. Some threat actors might sweep and end all running ETW sessions on the machine. If the NT kernel session is terminated, we'll try to start a new one and possibly send an alert indicating that the ETW session was stopped.
We should supervise the status of the
NT Kernel LoggerETW session periodically. Some threat actors might sweep and end all running ETW sessions on the machine. If the NT kernel session is terminated, we'll try to start a new one and possibly send an alert indicating that the ETW session was stopped.