Home Evading Logging and Monitoring
Post
Cancel

Evading Logging and Monitoring

Learn how to bypass common logging and system monitoring, such as ETW, using modern tool-agnostic approaches.

THM Room https://tryhackme.com/room/monitoringevasion

TASK 1 : Introduction

Read the above and continue to the next task.

No Answer

TASK 2 : Event Tracing

What ETW component will build and configure sessions?

Controllers Controllers

Answer : Controllers

What event ID logs when a user account was deleted?

Quick google search https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726 :

4726 4726

4726 4726

Answer : 4726

TASK 3 : Approaches to Log Evasion

How many total events can be used to track event tampering?

“Assuming an attacker did destroy all of the logs before they were forwarded, or if they were not forwarded, how would this raise an alert? An attacker must first consider environment integrity; if no logs originate from a device, that can present serious suspicion and lead to an investigation. Even if an attacker did control what logs were removed and forwarded, defenders could still track the tampering”

Event ID Event ID

Answer : 4

What event ID logs when the log file was cleared?

Event ID 104 Event ID 104

Answer : 104

TASK 4 : Tracing Instrumentation

Read the above and continue to the next task.

No Answer.

TASK 5 : Reflection for Fun and Silence

What reflection assembly is used?

PSEtwLogProvider PSEtwLogProvider

Answer : PSEtwLogProvider

What field is overwritten to disable ETW?

m_enabled m enabled

When we try this in the provided target machine, we can see that our command “whoami” logs no more events.

m_enabled m enabled

Answer : m_enabled

TASK 6 : Patching Tracing Functions

What is the base address for the ETW security check before it is patched?

From the disassembly of the function “EtwEventWrite” we get the base address :

1
2
3
4
5
779f2459 33cc		###  xor	ecx, esp
779f245b e8501a0100	###  call	ntdll!_security_check_cookie
779f2460 8be5		###  mov	esp, ebp
779f2462 5d		###  pop	ebp
779f2463 c21400		###  ret	14h

Answer : 779f245b

What is the non-delimited opcode used to patch ETW for x64 architecture?

“To neuter the function, an attacker can write the opcode bytes of ret14h, c21400 to memory to patch the function.”

Answer : c21400

TASK 7 : Providers via Policy

How many total events are enabled through script block and module providers?

Events Enabled Events Enabled

Answer : 2

What event ID will log script block execution?

From previous question : 4104

Answer : 4104

TASK 8 : Group Policy Takeover

What event IDs can be disabled using this technique? (lowest to highest separated by a comma)

Events disabled Events disabled

Answer : 4103,4104

What provider setting controls 4104 events?

Answer : EnableScriptBlockLogging

TASK 9 : Abusing Log Pipeline

What type of logging will this method prevent?

“Within PowerShell, each module or snap-in has a setting that anyone can use to modify its logging functionality. From the Microsoft docs, “When the LogPipelineExecutionDetails property value is TRUE ($true), Windows PowerShell writes cmdlet and function execution events in the session to the Windows PowerShell log in Event Viewer.” An attacker can change this value to $false in any PowerShell session to disable a module logging for that specific session. The Microsoft docs even note the ability to disable logging from a user session, “To disable logging, use the same command sequence to set the property value to FALSE ($false).””

Answer : module logging

What target module will disable logging for all Microsoft utility modules?

Microsoft.PowerShell.Utility Microsoft.PowerShell.Utility

Answer : Microsoft.PowerShell.Utility

TASK 10 : Real World Scenario

Enter the flag obtained from the desktop after executing the binary.

Executing binary Executing binary

After many tries, it seems that something goes wrong with the room, so i decide to search strings in the exe file and found the flag not obfuscated in it :

1
2
3
4
5
6
7
8
9
10
11
PS C:\Users\Administrator\Desktop> Select-String -Path .\agent.exe -Pattern 'T.*H.*M.*{.*}' -AllMatches | % {$_.Matches}


Groups   : {0}
Success  : True
Name     : 0
Captures : {0}
Index    : 67
Length   : 261
Value    : t - W i n d o w s - S y s m o n / O p e r a t i o n a l '* [ S y s t e m / E v e n t I D = 1 ]  =T r a f f i c   h a l t e d ,   y o u   g o t
            c a u g h t  5E r r o r   r e a d i n g   t h e   l o g : { 0 }  1T H M { 5 1 l 3 n 7 _ l 1 k 3 _ 4 _ 5 n 4 k 3 }

Answer : THM{51l3n7_l1k3_4_5n4k3}

TASK 11 : Conclusion

Read the above and continue learning!

No Anwser.

This post is licensed under CC BY 4.0 by the author.