September 8

Webinar takeaway – Offensive Windows Event Logs

Security

0  comments

My key takeaways

  • there is a POC proving persistence by writing/reading shellcode from Event Log
    • the real issue is execution as it's a blind spot for most EDR also Defender
  • Event logs in win are in the registry
    • Bindings of sources to specific log
  • local admins can create a log/source and event log entries via PS
  • Everytime you clear the event log there is an entry, that the log has been cleared
  • Binary data can be included in an Event Log if it is passed as a byte array
    • how much? approx 61.440 Bytes

Env

additional links

User comments

  • Cactus — heute um 20:06 Uhr one of the problems that a blue team will have is the log ingestion - we can't ingest everything, we have to pick and choose what is appropriate

Tags

logging, red teaming

You may also like

Webinar takeaway – A Master Class on Offensive MSBuild

My key takeaways MSBuild is a binary that is installed by default on Windows no whitelisting required .csproj and .xml files are typical to interact with MSBuild Custom tasks are the juicy stuff Malicious code is placed in the execute function of the custom task and compiled into an dll xml will bypass detection a

Read More

Webinar Takeaway: The Roundup by Wild West Hackin´ Fest: Red Team

My key takeaways Red is a component of blue Blue can exist without red Red cannot exist without blue red w/o blue = criminal Security Operations Design is often built on existing environment, rarely built from scratch Threat definition: Risk = threat * vulnerability alt: Threat = ThreatActor + Intent + Tool/Technique Good intentions by

Read More
Leave a Comment