My key takeaways
- there is a POC proving persistence by writing/reading shellcode from Event Log
- the real issue is execution as it’s a blind spot for most EDR also Defender
- Event logs in win are in the registry
- Bindings of sources to specific log
- local admins can create a log/source and event log entries via PS
- Everytime you clear the event log there is an entry, that the log has been cleared
- Binary data can be included in an Event Log if it is passed as a byte array
- how much? approx 61.440 Bytes
Env
-
Provided by BHIS
-
Speaker
additional links
- https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/
- GitHub – improsec/SharpEventPersist: Persistence by writing/reading shellcode from Event Log
- Simple PoC from Malicious Payload Injection from Windows Event Log Entry
User comments
-
Cactus — heute um 20:06 Uhr
one of the problems that a blue team will have is the log ingestion – we can’t ingest everything, we have to pick and choose what is appropriate