Skip to content
/ Windows-EventLog-Bypass Public

Use subProcessTag Value From TEB to identify Event Log Threads

79 stars 33 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

3gstudent/Windows-EventLog-Bypass

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
TerminateEventLogThread.cpp
TerminateEventLogThread.cpp
 
 
WindowsEventLogBypass.cpp
WindowsEventLogBypass.cpp
 
 

Repository files navigation

Windwos-EventLog-Bypass

Use subProcessTag Value From TEB to identify Event Log Threads.

Use NtQueryInformationThread API and I_QueryTagInformation API to get service name of the thread.

Auto kill Event Log Service Threads.

So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.

Learn from:

https://artofpwn.com/phant0m-killing-windows-event-log.html

and

https://github.com/hlldz/Invoke-Phant0m

Details about it:

https://3gstudent.github.io/%E5%88%A9%E7%94%A8API-NtQueryInformationThread%E5%92%8CI_QueryTagInformation%E5%AE%9E%E7%8E%B0%E5%AF%B9Windwos%E6%97%A5%E5%BF%97%E7%9B%91%E6%8E%A7%E7%9A%84%E7%BB%95%E8%BF%87

Update:

Suspend or resume the Eventlog Service's thread.Use to stop or resume the system to collect logs:

https://github.com/3gstudent/Eventlogedit-evtx--Evolution/blob/master/SuspendorResumeTid.cpp

About

Use subProcessTag Value From TEB to identify Event Log Threads

Resources

Readme
Activity

Stars

79 stars

Watchers

8 watching

Forks

33 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages