September 8

Webinar takeaway – Offensive Windows Event Logs

0  comments

My key takeaways

  • there is a POC proving persistence by writing/reading shellcode from Event Log
    • the real issue is execution as it’s a blind spot for most EDR also Defender
  • Event logs in win are in the registry
    • Bindings of sources to specific log
  • local admins can create a log/source and event log entries via PS
  • Everytime you clear the event log there is an entry, that the log has been cleared
  • Binary data can be included in an Event Log if it is passed as a byte array
    • how much? approx 61.440 Bytes

Env

additional links

User comments

  • Cactus — heute um 20:06 Uhr
    one of the problems that a blue team will have is the log ingestion – we can’t ingest everything, we have to pick and choose what is appropriate


Tags

logging, red teaming


You may also like

Webinar takeaway – A Master Class on Offensive MSBuild

Webinar takeaway – A Master Class on Offensive MSBuild

Webinar Takeaway: The Roundup by Wild West Hackin´ Fest: Red Team

Webinar Takeaway: The Roundup by Wild West Hackin´ Fest: Red Team
Leave a Reply

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit markiert.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}