Phant0m — Windows Event Log Killer
Phant0m targets the Event Log service and finding the process responsible for the Event Log service, it detects and kills the threads responsible for the Event Log service. Thus, while the Event Log service appears to be running in the system (because Phant0m didn't kill process), it does not actually run (because Phant0m killed threads) and the system does not collect logs.
https://github.com/hlldz/Phant0m
#windows #events #log #killer
Phant0m targets the Event Log service and finding the process responsible for the Event Log service, it detects and kills the threads responsible for the Event Log service. Thus, while the Event Log service appears to be running in the system (because Phant0m didn't kill process), it does not actually run (because Phant0m killed threads) and the system does not collect logs.
https://github.com/hlldz/Phant0m
#windows #events #log #killer
moonwalk
moonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.
https://github.com/mufeedvh/moonwalk
#unix #log #clearing #redteam
moonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.
https://github.com/mufeedvh/moonwalk
#unix #log #clearing #redteam
Windows Event Log Evasion via Native APIs
Some native Windows API calls can be used to install services WITHOUT generating correlating entries in the event log. This was seen in Stuxnet.
https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html
#edr #event #log #evasion
Some native Windows API calls can be used to install services WITHOUT generating correlating entries in the event log. This was seen in Stuxnet.
https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html
#edr #event #log #evasion
Inversecos
Windows Event Log Evasion via Native APIs
😈 How to Detect Linux Anti-Forensics Log Tampering
When forensically examining Linux systems for malicious intrusion, responders often rely on the following three artefacts to determine logins and logouts:
—
—
—
Of course, these artefacts are not all you can forensically investigate for malicious access, however, these will be the focus of this anti-forensics blog post.
https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html
#linux #log #evasion #antiforensics
When forensically examining Linux systems for malicious intrusion, responders often rely on the following three artefacts to determine logins and logouts:
—
/var/run/utmp – currently logged in users—
/var/run/wtmp – current, past logins and system reboot —
/var/log/btmp – bad login attempts Of course, these artefacts are not all you can forensically investigate for malicious access, however, these will be the focus of this anti-forensics blog post.
https://www.inversecos.com/2022/06/detecting-linux-anti-forensics-log.html
#linux #log #evasion #antiforensics
👍4