-
Notifications
You must be signed in to change notification settings - Fork 48
Anti Eventlogging Module
The biggest problem for any attacker is the windows event logger (ETW). Almost every famous blue teams agents (Sysmon, Wazuh, etc.) using it, that means that if you somehow disable this service no logs will be produce and nothing can trigger an alert for the blue teams. To disable it, you will need administrative privileges. In this page, I cover the methods implemented in MrKaplan to disable event logging and how to use them with MrKaplan.
This is a common and easy way to stop event logging - just suspend the process that is responsible for the ETW. It can be done easily with a WMI query and NtSuspendProcess. The service won't try to wake up the process (since it is running) and it won't log any events - A win win situation for any attacker.
The second method is my favorite but it comes with a sting - When it is used and until clean up no regular user can be logged in to the station. For this method, MrKaplan (ab)uses a mechanism in windows that allows to limit the size of logs that can be created on a computer. To stop the ETW, everything that needs to be done is to set the registry value to 0KB and the operation to DoNotOverWrite - this part is important! On default, new logs will overwrite the old ones but with the DoNotOverWrite flag you can bypass that and no logs will be created.