Explore the power of Event Tracing for Windows (ETW) for detecting intrusions in this comprehensive conference talk from GrrCON 2017. Dive into ETW's capabilities, including its visibility and overview, and learn how to capture and interpret ETW events. Discover real-time ETW solutions, with practical examples using krabsetw for DNS lookups, PowerShell DLL loading, command execution, and thread injection. Revisit the forensic wishlist, covering process starts, PowerShell activities, data exfiltration, and remote thread injection. Address challenges like event overload and learn techniques for reducing event volume and identifying different types of signals. Gain insights into performance, reliability, and tamper resistance of ETW-based solutions. Understand how red teams approach ETW and explore ways to implement ETW in your own environment. Conclude with a look at future developments and an opportunity for questions.