Event Log Tampering Part 1: Disrupting the EventLog Service

You Can’t See Me
  • Service Host Thread Tampering (Invoke-Phant0m)
  • Patching the Event Service (Mimikatz)
  • Downgrading Windows Components (Adding MiniNT key)
  • Evtx Structure & Manual Event Editing (A must-read to understand the following sections)
  • Event Record Unreferencing (Shadow Brokers Tools DanderSpritz/eventlogedit)
  • Rewriting Logs with WinAPI EvtExportLog (3gstudent’s evolutions of eventlogedit)

Disrupting the EventLog Service

Service Host Thread Tampering

A time gap in logs from where I started Phant0m and restarted the service.

Patching the Event Service

Downgrading Windows Components

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt”

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Do you “check if it works”?

Rootcon CTF 2017 Update + BinForCry Write-up/Walkthrough (Part 1 of x)

“Do we (still) need QAs?”

Shellcode syntax with explanation

EACCES current user (“nobody”) does not have permission to access

Advent of Code: 2020 Day 06 AWK solution

Advanced Security for GitHub Actions OIDC Authentication in AWS

GitHub workflows assume a minimally-privileged role in IAM, use that role to invoke a Lambda function providing the same GitHub OIDC token, and receive credentials for a highly-privileged role after passing OIDC token validations in the Lambda function.

Accelerate Development Cycles By Outsourcing Cloud Support Services

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
svch0st

svch0st

More from Medium

Will strict complex password increase your application or site security?

Fuzzing Clojure Code With Jazzer

Clojure

Jasmin open source SMS Gateway Installation Steps

Automating A Virtual Fabric with Ansible, Terraform, GNS3 and FRR