Defenses Evasion is a cyber kill chain attack strategy that includes strategies used by attackers to prevent detection during their violation.
MITRE TACTIC: Defenses
Evasion (TA0005)
MITRE TECHNIQUE:
Impair Defence (T1562)
SUBTITLE: Disable
Windows Event Logging (T1562.002)
Table of
Contents
·
Clear
Event log using Wevtutil Command
·
Clear
Event log using Powershell
·
Phantom
·
Mimikatz
·
MiniNT
registry key
·
Powershell
Empire
·
Metasploit
To restrict the
amount of data that can be used for detection and audits, an attacker can
disable Windows event logging. Login attempts, process development, other user
and device behavior are all recorded in Windows event logs. Intelligence
software and analysts use this information to identify the artifacts.
Clear Event log using Wevtutil Command
It's a system tool
that lets you look up details on event logs and publishers. You can also use
this command for installing and uninstalling event manifests, exporting, archiving,
and clearing logs.
Execute the following command with
administrator right:
wevtutil cl security
😊 All logs are clear now, but one log will be generated with event ID
1102 for clearing logs
Clear Event log using
Powershell
Another method
is to use PowerShell for clearing logs, as you can observe that the machine has
a system & security log.
Run Powershell as administrator and execute
the following command:
Clear-Eventlog -LogName Security
Clear-Eventlog -LogName System
The
above command will clear all logs from inside System & security.
Phantom
This script walks thread stacks of the Event
Log Service process (specific svchost.exe) and identifies Event Log Threads to
kill Event Log Service Threads. So, the system will not be able to collect logs
and at the same time, the Event Log Service will appear to be running. Download
it from here
powershell -ep bypass
.\Invoke-Phant0m.ps1
Mimikatz
How can we forget the mimikatz when it
comes to the red teaming approach? Mimikatz is the most effective method,
allowing you to not only steal the credential but also clear the log from
within the event viewer.
Run mimikatz as administrator and execute
the following command:
privilege::debug
event::
You can play with the registry, create a
new registry key as mention below, and reboot the machine to reload the hive.
reg add
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt”
This key disables the event viewer and thus
restricts it from generating the logs.
PowerShell Empire
The PowerShell empire can also be used
to clear logs, classify Event Log threads, and destroy Event Log Service
threads.
Use the following command to execute the
module for respected agents:
usemodule management/phant0m
execute
Metasploit
Last but not least, we have the Metasploit
framework to clean applications, security & system logs from within the
event viewer. In the meterperter session you can execute the following command.
clearev
Reference:
https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c
0 comments:
Post a Comment