Low-visibility attacks—such as fileless execution, process hollowing, and anti-debugging techniques—pose significant challenges for early forensic detection due to their minimal footprint and ease of evasion. To address this, we propose LASE, the first open-source, low-observability kernel-level forensic engine for Windows. LASE implements lightweight, high-fidelity execution tracing within the Windows kernel via enhanced Event Tracing for Windows (ETW), deep hooking of system calls and the Object Manager, memory-mapped log compression, and a fileless logging architecture—enabling comprehensive system-wide behavioral monitoring while drastically reducing detectability. Experimental evaluation demonstrates that LASE reliably captures stealthy attack behaviors in real time, supports multi-scenario deployment, and facilitates threat attribution and reasoning. Accompanying the release are the full open-source engine implementation and a curated dataset of real-world execution traces, establishing foundational resources for longitudinal behavioral analysis and benchmarking.

Over the years, adversarial attempts against critical services have become more effective and sophisticated in launching low-profile attacks. This trend has always been concerning. However, an even more alarming trend is the increasing difficulty of collecting relevant evidence about these attacks and the involved threat actors in the early stages before significant damage is done. This issue puts defenders at a significant disadvantage, as it becomes exceedingly difficult to understand the attack details and formulate an appropriate response. Developing robust forensics tools to collect evidence about modern threats has never been easy. One main challenge is to provide a robust trade-off between achieving sufficient visibility while leaving minimal detectable artifacts. This paper will introduce LASE, an open-source Low-Artifact Forensics Engine to perform threat analysis and forensics in Windows operating system. LASE augments current analysis tools by providing detailed, system-wide monitoring capabilities while minimizing detectable artifacts. We designed multiple deployment scenarios, showing LASE's potential in evidence gathering and threat reasoning in a real-world setting. By making LASE and its execution trace data available to the broader research community, this work encourages further exploration in the field by reducing the engineering costs for threat analysis and building a longitudinal behavioral analysis catalog for diverse security domains.