September 8

Webinar takeaway – Offensive Windows Event Logs

Security

0  comments

My key takeaways

  • there is a POC proving persistence by writing/reading shellcode from Event Log
    • the real issue is execution as it's a blind spot for most EDR also Defender
  • Event logs in win are in the registry
    • Bindings of sources to specific log
  • local admins can create a log/source and event log entries via PS
  • Everytime you clear the event log there is an entry, that the log has been cleared
  • Binary data can be included in an Event Log if it is passed as a byte array
    • how much? approx 61.440 Bytes

Env

additional links

User comments

  • Cactus — heute um 20:06 Uhr one of the problems that a blue team will have is the log ingestion - we can't ingest everything, we have to pick and choose what is appropriate

Tags

logging, red team

You may also like

What Fantasy Role-Playing Games Can Teach Us About Cybersecurity Roles

— And why your SOC might actually need a Bard 🐉⚔️ Cybersecurity teams are often compared to armies, fire brigades, or special forces. Personally? I think they’re much closer to a party of heroes in a classic fantasy role-playing game. No matter how many frameworks, SIEMs, or AI tools we summon, defending a digital kingdom

Read More

Webinar takeaway – A Master Class on Offensive MSBuild

My key takeaways MSBuild is a binary that is installed by default on Windows no whitelisting required .csproj and .xml files are typical to interact with MSBuild Custom tasks are the juicy stuff Malicious code is placed in the execute function of the custom task and compiled into an dll xml will bypass detection a

Read More
Leave a Comment