FortiGuard IR discovered historical evidence of deleted malware and attacker activity inside the AutoLogger-Diagtrack-Listener.etl ETW file on a compromised Windows Server, revealing that KernelProcess → ProcessStarted events can retain command-line and execution details for binaries that were later removed. The AutoLogger-Diagtrack-Listener.etl file’s population appears controlled by undocumented DiagTrack triggers and is inconsistently populated across Windows builds, limiting its immediate reliability as a forensic source. #AutoLogger-Diagtrack-Listener.etl #GMER
Keypoints
- FortiGuard IR recovered evidence of deleted tools and malware inside AutoLogger-Diagtrack-Listener.etl by parsing ETW payloads, including command-line data from KernelProcess → ProcessStarted events.
- The AutoLogger-Diagtrack-Listener.etl file is created by the DiagTrack (Connected User Experiences and Telemetry) service at %ProgramData%MicrosoftDiagnosisETLLogsAutoLogger when telemetry is recorded, but is not reliably populated by changing AllowTelemetry to 3 and starting the autologger session manually.
- FGIR extracted execution traces for deleted binaries (e.g., GMER renamed to gomer.exe) and several malicious batch files from the ETL, demonstrating potential forensic value despite adversary attempts at cleanup and obfuscation.
- Controlled testing on Windows Server 2022 and Windows 11 showed the ETL file can be created via registry and logman commands but often remains empty, implying internal DiagTrack conditions or undocumented triggers control population.
- Unclear, undocumented conditions determine when AutoLogger-Diagtrack-Listener.etl is populated, and further cross-build research is needed to validate its consistency and forensic utility.
- Fortinet products (FortiEDR, FortiAnalyzer, FortiSIEM, FortiGuard Threat Intelligence) can detect and correlate behaviors such as process creation, command-line use, renamed administrative tools, script-based execution, and fileless techniques that adversaries use to evade ETW-based logging.
MITRE Techniques
- [T1070.004 ] Indicator Removal on Host – File Deletion – ‘They attempted to achieve this by deleting files and folders they had created, clearing logs and obfuscating malware.’
- [T1070.001 ] Indicator Removal on Host – Clear Windows Event Logs – ‘They attempted to achieve this by deleting files and folders they had created, clearing logs and obfuscating malware.’
- [T1027 ] Obfuscated Files or Information – Malware obfuscation to hinder analysis and avoid detection – ‘They attempted to achieve this by deleting files and folders they had created, clearing logs and obfuscating malware.’
- [T1036.005 ] Masquerading: Match Legitimate Name – Renaming legitimate or known tools to evade detection and hide provenance (GMER renamed gomer.exe) – ‘including the tool GMER (renamed gomer.exe) and several malicious batch files.’
- [T1059 ] Command and Scripting Interpreter – Use of malicious batch files and script-based execution observed in the investigation – ‘and several malicious batch files.’
- [T1218 ] Signed Binary Proxy Execution / Living Off The Land – Use of living-off-the-land techniques and reliance on system tooling to evade logging and detection – ‘living-off-the-land techniques are recognized and blocked.’
Indicators of Compromise
- [File name ] Deleted or recovered binaries and telemetry files – AutoLogger-Diagtrack-Listener.etl, gomer.exe (renamed GMER).
- [File path ] ETL storage and example executable path – %ProgramData%MicrosoftDiagnosisETLLogsAutoLoggerAutoLogger-Diagtrack-Listener.etl, C:WindowsSystem32notepad.exe (example ImageName field).
- [Registry key ] Telemetry configuration controlling verbosity – HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesDataCollectionAllowTelemetry set to 3 in tests.
- [Commands / Artifacts ] Commands used to create or configure the ETL session – New-ItemProperty (AllowTelemetry), logman start/update “AutoLogger-Diagtrack-Listener” – and associated command lines recorded in ETW events.
- [Service / Provider ] Telemetry and tracing sources – DiagTrack (Connected User Experiences and Telemetry) service and ETW provider KernelProcess → ProcessStarted (Event ID 1).
- [Event data ] ETW event fields useful for forensics – ProcessID, ParentProcessID, ImageName, CommandLine (examples recovered include deleted tool execution and batch file commands).