Explore the power of Event Tracing for Windows (ETW) for detecting intrusions in this comprehensive conference talk from Derbycon 7. Dive into ETW's capabilities, including its visibility and overview, and learn how to capture and interpret ETW events. Discover real-time ETW solutions through practical examples using krabset, such as DNS lookups, PowerShell DLL loads, and thread injection detection. Revisit the forensic wishlist and examine various attack scenarios, including process starts, obfuscated PowerShell, and data exfiltration. Address challenges like event overload and learn techniques for reducing event volume and identifying different types of signals. Explore performance, reliability, and tampering concerns, and gain insights into how red teams operate. Conclude with practical advice on implementing ETW in your environment and a glimpse into future developments in this field.