In May 2022, Kaspersky published a write-up on a newly-discovered campaign where malware authors wrote shellcode to the Windows Event Log. This was pretty interesting, and just about 4 months later, Tim Fowler published this blog post over at BlackHillsInfoSec, digging into this a bit deeper and offering several variations of the technique up to red teamers.
Now, I found this technique interesting, not because it’s not really something I’d seen before, but because of how Windows Event Logs, and just “Event Logs” prior to Vista, have been used by DFIR analysts. Back in the days of WinXP and Windows 2000/2003, there were The Big Three…Security, System, and Application Event Logs. With the advent of Vista, and then Windows 7, the numbers of Windows Event Logs available to analysts exploded; on my Windows 10 system, a ‘dir’ of the winevt\logs folder reveals 400 files with the “.evtx” extension. However, not all logs are populated, or even enabled.
However, this doesn’t mean that these logs are used during analysis; in fact, much like the Registry, the Windows Event Logs are largely misunderstood by a great many analysts, to the point where I’ve seen log collection processes that are still restricted to just the Security, System, and Application Event Logs. Further, there seems to be a great deal of Windows forensic analysis training that persists in identifying Windows Event Log records solely by their event ID, even when it’s been stated and shown that event IDs are not unique. For example, we often refer to “event ID 4624” when identifying successful login events, but when the event source is “EventSystem”, that event ID has an entirely different meaning and significance. And there’s nothing the prevents someone from creating an application that writes it’s logs to a current or it’s own Windows Event Log, using the same event ID. In just the past year, I’ve seen several tools used by threat actors that create Windows Event Log records, two of which use event ID 0 (zero) for everything, literally eve
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: