A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. BamboozlEDR features a TUI interface and can generate realistic security events across multiple Windows ETW providers to test EDR detection capabilities, log analysis systems, and security monitoring solutions.
Note: This tool is built as a Proof-of-Concept. It is not polished code and it is intentionally built as a TUI utility that requires some user interaction to work. This limits the abuse by skiddies.
- Microsoft-Windows-Antimalware - Threat detection events (Event ID 48)
- Microsoft-Windows-Antimalware-RTP - Real-time protection events (Event IDs 27, 14)
- Microsoft-Windows-LDAP-Client - LDAP search and authentication events
- Microsoft-Windows-TCPIP - TCP/IP connection events
- Microsoft-Windows-WMI-Activity - WMI query and execution events (Event IDs 22, 11)
- Microsoft-Windows-AMSI - AMSI scan events
- Microsoft-Windows-Defender - Windows Defender events (Event IDs 5000, 5001, 1116, 1117)
- Microsoft-Windows-DotNETRuntime - .NET runtime events
- Microsoft-Windows-Crypto-DPAPI-Events - DPAPI access events
- Microsoft-Windows-Security-Auditing - Security audit events (Event ID 4688)
- Microsoft-Windows-PowerShell - PowerShell commandlet and AMSI events
- Microsoft-Windows-RPC - RPC function trace events (Event ID 14)
- Microsoft-Windows-CodeIntegrity - Code Integrity events (Event IDs 3023, 3036, 3076, 3077)
- Microsoft-Windows-AppLocker - AppLocker events (Event IDs 8003, 8004, 8006, 8007, 8021, 8022, 8024, 8025)
- Microsoft-Windows-NTLM - NTLM blocking events (Event ID 8001)
- Single Events - Generate individual events for testing
- Batch Events - Generate multiple events from predefined lists
- BamboozlEDR - Execute multiple events simultaneously to confuse EDR
- Buffer Overflow - Generate unlimited high-volume events from all providers simultaneously
- Custom Events - Generate events with custom parameters
All threat names in the data lists are obfuscated using XOR encoding to prevent them from appearing as plain text strings in the compiled binary. This protects against:
- Static analysis detection of threat names
- String-based signature matching
- Binary analysis tools finding embedded threat data
The obfuscation is applied at compile time and strings are deobfuscated only at runtime when needed, ensuring no plain text threat names exist in the binary file.
- Conditional Feature Access - ETW trace monitoring only available when running as administrator
- Graceful Degradation - Application works normally without admin privileges
- Microsoft-Antimalware-RTP - Generate real-time protection events
- Microsoft-Windows-AMSI - Generate AMSI provider events
- Microsoft-Windows-Antimalware - Generate antimalware detection events
- Microsoft-Windows-AppLocker - Generate AppLocker events
- Microsoft-Windows-CodeIntegrity - Generate Code Integrity events
- Microsoft-Windows-Crypto-DPAPI-Events - Generate DPAPI access events
- Microsoft-Windows-DotNETRuntime - Generate .NET runtime events
- Microsoft-Windows-Ldap-Client - Generate LDAP client events
- Microsoft-Windows-NTLM - Generate NTLM blocking events
- Microsoft-Windows-PowerShell - Generate PowerShell events
- Microsoft-Windows-RPC - Generate RPC function trace events
- Microsoft-Windows-TCPIP - Generate TCP/IP network events
- Microsoft-Windows-WMI-Activity - Generate WMI activity events
- Microsoft-Windows-Windows Defender - Generate Windows Defender events
- Cyber events - Simulate cyber attack events
- BamboozlEDR - Execute multiple events to confuse EDR
- Buffer Overflow - Generate unlimited events from all providers
- User-Mode Antimalware Trace - Monitor Microsoft-Antimalware-Engine (no admin required)
- NotMDE ETW Trace Monitor - Create/manage external ETW trace session with the same providers MDE relies on.
- Single random malware event - Generate one random malware detection
- Single random benign event - Generate one random benign detection
- Spam malware events - Generate multiple malware detections
- Spam benign events - Generate multiple benign detections
- Ransomware - Generate ransomware detection
- RTP detection events - Generate real-time protection detection events (27 + 14)
- Single AMSI event - Generate AMSI scan event
- Suspicious AMSI events - Generate suspicious AMSI scans
- Spam AMSI events - Generate multiple AMSI scans
- Process Audit (8003) - Generate AppLocker process audit event
- Process Block (8004) - Generate AppLocker process block event
- Script Audit (8006) - Generate AppLocker script audit event
- Script Block (8007) - Generate AppLocker script block event
- Appx Process Audit (8021) - Generate AppLocker Appx process audit event
- Appx Process Block (8022) - Generate AppLocker Appx process block event
- Appx Script Audit (8024) - Generate AppLocker Appx script audit event
- Appx Script Block (8025) - Generate AppLocker Appx script block event
- Spam AppLocker events - Generate multiple random AppLocker events
- Revoked Driver (3023) - Generate CiRevokedDriverNotLoaded event
- Revoked Image (3036) - Generate CiRevokedImageNotLoaded event
- Policy Failure Audit (3076) - Generate DeviceGuard policy failure audit
- Policy Failure Block (3077) - Generate DeviceGuard policy failure
- Spam CodeIntegrity events - Generate multiple random CodeIntegrity events
- Single DPAPI event - Generate single DPAPI access event
- Spam DPAPI events - Generate multiple DPAPI events
- Infinite DPAPI events - Generate DPAPI events continuously
- Single .NET event - Generate .NET runtime event
- Malicious .NET event - Generate malicious .NET event
- Spam .NET events (1337) - Generate multiple .NET events
- ADExplorer event - Generate ADExplorer LDAP search
- SharpHound events - Generate SharpHound LDAP searches
- Spam LDAP events - Generate multiple LDAP searches
- NTLM Blocking Event (8001) - Generate single NTLM blocking event
- Spam NTLM events - Generate multiple random NTLM blocking events
- Single Random PowerShell event - Generate single random PowerShell commandlet event
- Random PowerShell AMSI event - Generate random PowerShell AMSI scan event
- Spam PowerShell events - Generate multiple mixed PowerShell events
- Function trace event - Generate RPC function trace event (14)
- Spam TCP/IP events - Generate multiple network events
- SMB Scan TCP/IP events - Generate SMB scanning events
- Single Random TCP/IP event - Generate one random network event
- Single Kerberos TCP/IP event - Generate Kerberos network event
- Single SMB TCP/IP event - Generate SMB network event
- Single WMI Event 22 - Generate WMI activity event
- Suspicious WMI Events 22 - Generate suspicious WMI activity
- Spam WMI Events 22 - Generate multiple WMI events
- Single WMI Event 11 - Generate WMI event type 11
- Suspicious WMI Events 11 - Generate suspicious WMI type 11
- Spam WMI Events 11 - Generate multiple WMI type 11
- Local WMI Event 11 - Generate local WMI event
- Remote WMI Event 11 - Generate remote WMI event
- Realtime protection enabled (5000) - Generate defender enabled event
- Realtime protection disabled (5001) - Generate defender disabled event
- Malware detected + Remediated (1116/1117) - Generate malware detection event
- Spam Defender events - Generate multiple defender events
The Buffer Overflow feature runs optimized ETW providers simultaneously at maximum throughput:
- Real-Time TUI Display - Clean table interface showing statistics per provider
- Live Statistics - Success/failure counts, total events, and events per second
- Advanced Performance Optimizations - 100,000 pre-allocated GUID pool, reduced string conversions
- Streamlined Event Generation - Simplified event structures for maximum speed
- 6 Concurrent Providers - Focused on highest-volume providers for optimal performance
- Intelligent Logging - Reduced frequency (every 1000 events) to minimize overhead
- Cycle-Based Selection - Efficient data cycling instead of expensive random generation
- Auto-Refresh Display - Updates every 2 seconds with current statistics
- Enhanced Error Reporting - Descriptive Windows error codes instead of cryptic numbers
- Microsoft-Windows-Antimalware:
751ef305-6c6e-4fed-b847-02ef79d26aef - Microsoft-Windows-LDAP-Client:
099614a5-5dd7-4788-8bc9-e29f43db28fc - Microsoft-Windows-TCPIP:
2f07e2ee-15db-40f1-90ef-9d7ba282188a - Microsoft-Windows-WMI-Activity:
1418ef04-b0b4-4623-bf7e-d74ab47bbdaa - Microsoft-Windows-AMSI:
2a576b87-09a7-520e-c21a-4942f0271d67 - Microsoft-Windows-Crypto-DPAPI-Events:
89fe8f40-cdce-464e-8217-15ef97d4c7c3 - Microsoft-Windows-PowerShell:
a0c1853b-5c40-4b15-8766-3cf1c58f985a - Microsoft-Windows-Security-Auditing:
54849625-5478-4994-a5ba-3e3b0328c30d - Microsoft-Antimalware-Engine:
0a002690-3839-4e3a-b3b6-96d8df868d99
- Antimalware Detection: Event ID 48
- Real-Time Protection: Event IDs 27, 14
- WMI Activity: Event IDs 22, 11
- Windows Defender: Event IDs 5000, 5001, 1116, 1117
- AppLocker: Event IDs 8003, 8004, 8006, 8007, 8021, 8022, 8024, 8025
- Code Integrity: Event IDs 3023, 3036, 3076, 3077
- NTLM Blocking: Event ID 8001
- RPC Function Trace: Event ID 14
- Pre-allocated GUID Pool: 100,000 GUIDs for high-speed generation
- Reduced String Conversions: Optimized UTF-16 encoding
- Streamlined Event Structures: Minimal overhead event writing
- Concurrent Provider Execution: Parallel event generation
- Intelligent Logging: Reduced frequency to minimize overhead
This project is licensed under the MIT License - see the LICENSE file for details.