"very basic, and grossly written proof - of - concept, that pulls the binary payload data from the first entry in the event log key management services, then executes that binary payload using a very common shellcode injection technique that will inject the payload into the curren…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
95%
"payload was once again safely stored in the event log entry, just waiting for something to use it. the last step was to setup an nc listener using - nvlp 1337 as arguments. with our listener setup, it was time to execute our program to inject our shellcode and hopefully get a rem…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685.001Disable or Modify Windows Event Log
84%
"have regarding the various event logs found on a common windows installation. if it is not already obvious, let me state it for the record that to be able store a payload in an event log entry, you must first be able to write to the event log. depending on your user context, you …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685.001Disable or Modify Windows Event Log
83%
"commandlet, it is simple to create arbitrary event entries with the following command : write - event - logname $ 1 - source $ 2 - eventid $ 3 - eventtype information - category 0 - message $ 4 there are a few things to be aware of though. first, the - logname argument must be a …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685.001Disable or Modify Windows Event Log
70%
"the windows event log basics, the eventdata field of an entry supports both a message and binary data. by simply adding one more argument to our powershell command, we can include binary data in the event log entry by using the - rawdata argument. to be able to embed binary data …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685.001Disable or Modify Windows Event Log
63%
", choosing a valid eventid can help limit the indicators that something is mucking about in the log. when creating an event log entry, you will need to define the entrytype using the - entrytype argument. there are five types that can be used but if you are trying to not get caug…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685.001Disable or Modify Windows Event Log
58%
"few weeks, i finally had some time that i could circle back to the article and really dive in and try to figure out what was going on, how it all worked, and what ( if any ) were the limitations of using windows event logs as a payload storage apparatus. for me, the most logical …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1654Log Enumeration
53%
"few weeks, i finally had some time that i could circle back to the article and really dive in and try to figure out what was going on, how it all worked, and what ( if any ) were the limitations of using windows event logs as a payload storage apparatus. for me, the most logical …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685.001Disable or Modify Windows Event Log
52%
"windows event logs for red teams windows event logs for red teams tim fowler / / do you know what could be lurking in your windows event logs? in may of 2022, i was sent a threat post article about a new technique that had been discovered in the wild for maintaining persistence u…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1654Log Enumeration
50%
"systems. - application - security - setup - system - forwarded events there is also a collection of logs in a folder within event viewer called application and services logs that contains logs of individual applications and hardware - based events. windows powershell logs would b…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
43%
"being used. just vanilla, out - of - the - box metasploit in 2022. however, it just goes to show that there is great potential in using the log entry injection technique for storing payloads. in fact, a few moments after the previous screenshot was taken, defender rose its head a…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685.001Disable or Modify Windows Event Log
42%
"systems. - application - security - setup - system - forwarded events there is also a collection of logs in a folder within event viewer called application and services logs that contains logs of individual applications and hardware - based events. windows powershell logs would b…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Tim Fowler // Do you know what could be lurking in your Windows event logs? In May of 2022, I was sent a Threat Post article about a new technique […]
