Event Log Service
Event viewer is the preinstalled application in windows to view windows logs, it depends on a event log service to function
EventLog Service

Service configuration:
-
STOPPABLE, AcceptPause, AcceptStop
-
Binary path : svchost.exe -k LocalServiceNetworkRestricted -p
-
ProcessId: 1732
Anti-Forensics
One of the primary anti forensics techniques is clearing logs, and disable logging, attacker can approach this by many methods
Clearing Logs: I just need to say that only security and system logs that have an event for event clear
- 1102 for clearing security logs
- 104 for clearing system logs


To Test:
1- run the following command to clear all events
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
2- check what logs have more than 0 log
Get-WinEvent -ListLog *

All methods require administration privileges
Method 1 (Terminate Event log process)
as we say the process responsible for logging events is
svchost -k LocalServiceNetworkRestricted -p -s eventlog

if we suspend this process, the event viewer will be paused, also you will not be able to open new CMD or PowerShell, but you can use the shell you already open.
event viewer will be paused but logs will appear just after resuming the process, the same if you kill the process then start the services again
so if an attacker tried to stop logs like that, you just have to restart the service and everything will be there
Detection
Method 2 (Invoke-Phant0m)
This is PowerShell script that is used to kill thread of the svchost process that responsible for event logging
this technique is good for stopping a lot of security controls not just event viewer
Download: Invoke-Phat0m
Test Environment: Win 10 1909, build 18363.1016
of course any AV will detect Invoke-Phant0m as malware, so as attacker you have to find your way to bypass detection
. ./Invoke-Phant0m
Invoke-Phant0m

as you see in the above image: Invoke phant0m find the PID for svchost responsible for event logging
and killed its threads and this caused total of 20 events that we will rely on for detection
after killing the threads: No log entries are logged


Detection


Important notice about Invoke-Phant0m that although it will prevent any log from being created but clear logs (1102,104) will be created

Method 3 (Mimikatz event::drop)
Mimikatz is wide used tool for dumping credentials but it also have other usages like stopping the event logging in windows
you can check more details about mimikatz and credential dumping from here Mimikatz
this technique patch the service so it stops logging windows clear event (1102, 104)
Event Log service still logging all other logs.
THE following GIF shows that 1102 is no more generated but logs in PowerShell still be generated, the same as security events ..etc

Detection
First of all, if SIEM exists, then clearing logs is not important, we always can find the logs in the SIEM
-
Sysmon
-
Process Access
- Module Loading (Detect Mimikatz not necessary to be event::drop)
-
bcryptprimitives.dll
-
vaultsvc.dll
-
all DLLs for SSPs like [schannel.dll, credssp.dll, gpapi.dll, wdigest.dll, tspkg.dll, samsrv.dll]
-
If the process loaded all the modules in sysmon then it’s highly likely to be mimikatz, but if only one or two modules then it’s could be a regular process
-
<Sysmon schemaversion="4.00">
<HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
<EventFiltering>
<ProcessAccess onmatch="include">
<TargetImage condition="is">C:\Windows\System32\svchost.exe</TargetImage>
</ProcessAccess>
<ImageLoad onmatch="include">
<ImageLoaded condition="contains">schannel.dll</ImageLoaded>
<ImageLoaded condition="contains">credssp.dll</ImageLoaded>
<ImageLoaded condition="contains">gpapi.dll</ImageLoaded>
<ImageLoaded condition="contains">wdigest.dll</ImageLoaded>
<ImageLoaded condition="contains">tspkg.dll</ImageLoaded>
<ImageLoaded condition="contains">samsrv.dll</ImageLoaded>
</ImageLoad>
</EventFiltering>
</Sysmon>
-
Process Access: x1438 which is
-
PROCESS_SUSPEND_RESUME (0x800) | PROCESS_SET_INFORMATION (0x200) | PROCESS_QUERY_INFORMATION (0x400) | PROCESS_VM_WRITE (0x20) | PROCESS_VM_READ (0x10) | PROCESS_VM_OPERATION (0x8)
Which is sufficient access to do the patching
Patching svchost in on run time on disk, so restarting the service or computer will remove the effect of mimikatz
Post comments (0)