ETWScope is a professional, hybrid Rust/Python Windows telemetry research platform designed for exploring Event Tracing for Windows (ETW) provider activity in real time.
This project is purely defensive and research-oriented. It is NOT an offensive security tool or an EDR bypass framework. It is intended for detection engineering, telemetry resilience scoring (TRS), and behavioral anomaly detection.
The platform is built on a high-performance hybrid stack:
-
Backend (Rust): Provides a blazing-fast ETW subscription engine capable of parsing thousands of ETW events per second natively on Windows. On Linux development environments, it supports file-based streaming (
--mock) to emulate live ingestion. -
Frontend & Analysis (Python): Uses
Textualfor a rich Terminal User Interface (TUI). It consumes the JSON stream from the backend and calculates sliding-window entropy, timing variance ($CV_t$ ), and TRS. - Rules Engine: A Sigma/YARA-inspired YAML detection engine for stateful sequence tracking.
- Rust (Cargo)
- Python 3.11+
-
Compile Backend
cd backend cargo build --release cd ..
-
Install Python Dependencies
python -m venv venv source venv/bin/activate pip install -r requirements.txt
If you are developing on Linux or macOS, you can simulate a live ETW session using the included samples:
python main.py --mock samples/mutated_kp.jsonTo run on a live Windows machine, compile the backend targeting Windows (cargo build --target x86_64-pc-windows-msvc) and remove the --mock flag from the invocation.
- Machine Learning Anomaly Detection
- Graph database backend for visualization
- Full native Sigma rule conversion
- Distributed telemetry collection agents