Defense Evasion: Windows Event Logging (T1562.002)
Defense Evasion is a cyber kill chain attack strategy that includes strategies used by attackers to prevent detection during their violation.
MITRE TACTIC: Defenses Evasion (TA0005)
MITRE TECHNIQUE: Impair Defence (T1562)
SUBTITLE: Disable Windows Event Logging (T1562.002)
Table of Contents
- Clear Event log using Wevtutil Command
- Clear Event log using Powershell
- Phantom
- Mimikatz
- MiniNT registry key
- Powershell Empire
- Metasploit
To restrict the amount of data that can be used for detection and audits, an attacker can disable Windows event logging. Login attempts, process development, other user and device behaviour are all recorded in Windows event logs. Intelligence software and analysts use this information to identify the artifacts.
Clear Event log using Wevtutil Command
It’s a system tool that lets you look up details on event logs and publishers. You can also use this command for installing and uninstalling event manifests, exporting, archiving, and clearing logs.
Execute the following command with administrator right:
wevtutil cl security
😊 All logs are clear now, but one log will be generated with event ID 1102 for clearing logs
Clear Event log using Powershell
Another method is to use PowerShell for clearing logs, as you can observe that the machine has a system & security log.
Run Powershell as administrator and execute the following command:
Clear-Eventlog -LogName Security Clear-Eventlog -LogName System
The above command will clear all logs from inside System & security.
Phantom
This script walks thread stacks of the Event Log Service process (specific svchost.exe) and identifies Event Log Threads to kill Event Log Service Threads. So, the system will not be able to collect logs and at the same time, the Event Log Service will appear to be running. Download it from here
powershell -ep bypass .\Invoke-Phant0m.ps1
Mimikatz
How can we forget the mimikatz when it comes to the red teaming approach? Mimikatz is the most effective method, allowing you to not only steal the credential but also clear the log from within the event viewer.
Run mimikatz as administrator and execute the following command:
privilege::debug event::
MiniNT registry key
You can play with the registry, create a new registry key as mention below, and reboot the machine to reload the hive.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
This key disables the event viewer and thus restricts it from generating the logs.
PowerShell Empire
The PowerShell Empire can also be used to clear logs, classify Event Log threads, and destroy Event Log Service threads.
Use the following command to execute the module for respected agents:
usemodule management/phant0m execute
Metasploit
Last but not least, we have the Metasploit framework to clean applications, security & system logs from within the event viewer. In the meterperter session, you can execute the following command.
clearev
Reference: https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here