Added New ETW Events (Windows 11)

[nasbench]

This PR adds new ETW events that were added in Windows 11. The list of ETW providers that has been added is the following:

• Microsoft-Windows-Kernel-Cache
• Microsoft-Windows-Kernel-Dump
• Microsoft-Windows-TenantRestrictions
• Microsoft-Windows-USB-USB4DeviceRouter-EventLogs
• Microsoft-Windows-WerKernel
• Microsoft-Windows-WinHttp-Pca
• Microsoft-Windows-WinINet-Pca
• Microsoft-Windows-Winsock-Sockets
• Microsoft-Windows-ZTraceMaps

The following additions are based on the following research:

• ETW Resources Project
• Windows 11 “New” ETW Providers — Overview

[Cyb3rWard0g]

Wow! That's awesome @nasbench ! Thank you very much for sharing your research through the OSSEM project as well 🙏🏾 I would love to know how we can improve the tracking of those ETW providers in the future. The versioning, new fields, etc. Any feedback would be appreciated 😄

[nasbench]

Hey, @Cyb3rWard0g my pleasure!. Regarding your question, I had the following idea. We could add an "Availability" field inside each README.yml of each provider describing in what version of windows the ETW provider is available. For example, the "Microsoft-WIndows-Kernel-Process" is old so we mention that it's been there since Win 7, Win 8....etc.

In addition to this, we need to add a field inside the event YAML to describe when this field or event has been introduced. Again in the case of "Microsoft-Windows-Kernel-Process" fields have been added in Win8 in Win 10 and Win11. 😄

[Cyb3rWard0g]

Great suggestion @nasbench ! mmm I assume we would have to go through all the releases docs. Does that exist somewhere? I remember downloading a few lists of events in a word document from MS docs and it had some of that information. I was wondering if you knew of any specific resources. I will also ask internally.

[AndrewRathbun]

@nasbench we could do a diff between each version of Windows and include tables of what changed from 1803 to 1809 to 1903 etc, from A-Z for every version we're already working on. Server, too. That's at least ultimately what I had in mind for our ongoing project 😎

[nasbench]

That's exactly what I was about to suggest @AndrewRathbun

Using the different manifests we've been collecting and diffing them, will yield us great results and will give us a lot of insights into when were new events and providers added.

@Cyb3rWard0g We've been dumping ETW manifests from the different versions of Windows (See ETW Manifests) So we could use this as a very good basis for what we're talking about here.