Full Report
FortiGuard IR uncovers forensic insights in Windows AutoLogger-Diagtrack-Listener.etl, a telemetry artefact with untapped investigative value.
Analysis Summary
# Tool/Technique: AutoLogger-Diagtrack-Listener.etl
## Overview
The **AutoLogger-Diagtrack-Listener.etl** file is an obscure telemetry artifact generated by the Windows Event Tracing for Windows (ETW) infrastructure, specifically observed during incident response investigations involving threat actors attempting anti-forensic techniques. While ETW is a standard high-performance logging framework, this specific ETL file appears to be related to the **Connected User Experiences and Telemetry (DiagTrack)** service, holding potentially valuable, yet inconsistently populated, forensic data regarding low-level OS activities like process execution.
## Technical Details
- Type: Technique / Forensic Artifact (related to Windows ETW Infrastructure)
- Platform: Windows 10, Windows 11, Windows Server 2016 and later
- Capabilities: Potentially captures granular process creation, execution traces, and other low-level system events, offering forensic visibility even after standard logs are cleared or files are deleted.
- First Seen: The context implies recent discovery or focused analysis of this artifact by FortiGuard IR during active investigations (post-December 2025 publication date context).
## MITRE ATT&CK Mapping
Since this is a *forensic artifact* that captures activity rather than an active malicious tool itself, its primary mapping relates to adversary activities that *generate* the data within it, and the defensive Tactic of *Collection*.
- **TA0009 - Collection** (If an attacker's activity populates this log, or if defenders analyze it)
- **T1005 - Data from Local System** (The artifact itself is data from the local system)
- **TA0005 - Defense Evasion** (Threat actors often try to evade standard logging, making analysis of non-standard logs necessary)
## Functionality
### Core Capabilities
- Serves as a binary log file generated by the Windows ETW framework.
- Expected to capture structured event data from various providers (kernel, registry, etc.).
- In the context of investigations, it has stored historical evidence of deleted malware and executed tools.
### Advanced Features
- Its population mechanism appears internally controlled by the **Connected User Experiences and Telemetry (DiagTrack)** service, suggesting conditional logging triggers that are not publicly documented.
- It may persist data even when threat actors employ anti-forensic methods to delete standard logs or files.
## Indicators of Compromise
- File Hashes: [Not specified in the provided text]
- File Names: `AutoLogger-Diagtrack-Listener.etl`
- Registry Keys: [Not specified in the provided text]
- Network Indicators: [None related to the artifact itself; activity within it would show network indicators]
- Behavioral Indicators: Presence of process creation, command-line execution, and use of renamed administrative tools documented within the ETL file structure.
## Associated Threat Actors
- Threat actor engaged in a **ransomware attack** known for utilizing anti-forensic techniques, file/folder deletion, log clearing, and malware obfuscation on Windows Server 2016.
## Detection Methods
- **EDR/Security Solutions:** Solutions like FortiEDR monitor process activity at the kernel level, which correlates with the types of events ETW captures.
- **SIEM/Log Analysis:** FortiAnalyzer/FortiSIEM can ingest native Windows telemetry (ETW data) to correlate suspicious events.
- **Forensic Analysis:** Specialized tools are required to parse the binary contents of ETL files for forensic evidence.
## Mitigation Strategies
- **Continuous Monitoring:** Deploying EDR solutions (like FortiEDR) for real-time, kernel-level monitoring of process activity to detect malicious execution regardless of logging infrastructure status.
- **Telemetry Correlation:** Ingesting and correlating Windows telemetry, including ETW data, via SIEM solutions to reconstruct execution chains.
- **Visibility Research:** Continued research into the conditions that trigger population of `AutoLogger-Diagtrack-Listener.etl` to maximize forensic visibility in future incidents.
## Related Tools/Techniques
- **Event Tracing for Windows (ETW):** The underlying framework used to generate the log data.
- **logman / PerfMon:** Standard Windows tools used to manage ETW sessions (controllers).
- **DiagTrack Service (Connected User Experiences and Telemetry):** The service suspected of controlling the logging behavior of this specific ETL file.