During a recent incident response engagement, FortiGuard IR services responded to a sophisticated ransomware attack in which threat actors deployed advanced anti-forensic techniques to eliminate their digital footprint.
The attackers deleted malware, cleared logs, and obfuscated tools to prevent analysis.
However, FortiGuard researchers made a critical discovery: historical evidence of the deleted malware and attacker tools remained hidden within an obscure Windows ETL file called AutoLogger-Diagtrack-Listener.etl, a telemetry artifact generated by the Windows Event Tracing for Windows (ETW) infrastructure.
Event Tracing for Windows is a high-performance logging framework built into Windows that enables detailed event recording with minimal system overhead.
Unlike traditional plain-text logs, ETW uses structured event data from providers such as the kernel, TCP/IP stack, and registry, which feed into ETW sessions.
These sessions can either buffer data for real-time consumption or write it to binary Event Trace Log (ETL) files for later analysis.
The ETW architecture comprises three key components: providers (event sources), controllers (which manage sessions through tools like logman), and consumers (EDRs, debuggers, and Event Viewer).
Modern endpoint detection and response tools leverage this capability by subscribing directly to ETW providers for real-time behavioral monitoring.
The AutoLogger-Diagtrack-Listener.etl file, typically stored at %ProgramData%MicrosoftDiagnosisETLLogsAutoLogger, records telemetry from the Connected User Experiences and Telemetry (DiagTrack) service.
This file’s creation depends on the DiagTrack service being enabled and collecting diagnostic data.
The verbosity of telemetry logging can be configured through the AllowTelemetry registry key, with four levels: Security (0 server default), Basic (1 minimal collection), Enhanced (2 deprecated), and Full (3 complete capture). By default, the setting is 0x1, which rarely results in ETL file creation.
Critical Forensic Discovery
During the disk image analysis, FortiGuard researchers identified process-creation events within the KernelProcess → ProcessStarted stream that retained valuable historical data, including command-line details for previously executed binaries.
This breakthrough allowed investigators to extract evidence of deleted malware and tools, including GMER (renamed as gomer.exe) and malicious batch files that the threat actor attempted to remove.
To understand the exact conditions triggering file population, FortiGuard conducted controlled experiments on Windows Server 2022 and Windows 11 systems.
The captured ETW events recorded essential forensic details: process ID, parent process ID, session ID, executable path, command-line arguments, user security identifier, and package information.
These fields proved invaluable in reconstructing the attacker’s execution chain despite deliberate deletion attempts.
Researchers noted the AllowTelemetry registry key to its maximum verbosity level (3 Full) and used the logman command to start and update the AutoLogger-Diagtrack-Listener ETW session.
Despite successful execution and file creation, the resulting ETL remained unpopulated, suggesting that the DiagTrack service controls population through undocumented internal triggers.
This unresolved behavior presents both challenges and opportunities for the security community.
While the conditions for consistent population remain unclear, the discovery demonstrates that AutoLogger-Diagtrack-Listener.etl can serve as a critical forensic artifact when correctly populated, potentially revealing process execution traces that survive deliberate deletion attempts.
Fortinet’s Defense Strategy
Fortinet’s integrated Security Fabric counters such attacks through multiple layers. FortiEDR provides kernel-level endpoint monitoring that detects unauthorized process launches and renamed administrative tools in real-time.
FortiAnalyzer and FortiSIEM ingest native Windows telemetry, including ETW data, enabling correlation of suspicious events across enterprise environments.
FortiGuard Threat Intelligence continuously enriches detections with real-time updates, ensuring emerging malware variants and evasion techniques are recognized and blocked.
Organizations leveraging Fortinet’s unified platform gain comprehensive visibility across network, endpoint, and telemetry sources, providing the forensic depth needed to counter sophisticated anti-forensic attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.