wevtutil.exe deployment for log evasion( Corrected file extension ) #427
Conversation
|
It says it failed the acknowledgment section since I guess the issue is my github user name is too long so im just going to remove that |
|
Hi @ThatTotallyRealMyth , thanks for taking the time to create this contribution. We've had a similar pull request for wevtutil before (#411 (comment) ) - according to the LOLBAS Criteria, each binary/script must have 'unexpected' capabilities. From what I can see, the functionality you list is 'expected' for the executable. That doesn't mean the functionality you documented is not useful for e.g. red teamers (on the contrary, as the blog/tweet you reference show), but if my assessment is right, this entry would unfortunately not be the right fit for this project. For that reason I'm closing this pull request now, if you think I'm wrong though please comment in here and I'll reopen the pull request. |
|
That is totally fair but I did think in the spirit of things, it could be considered/exception made for. While i totally get that it isnt abnormal functionality, the binarys abuse is really wide spread but it isnt very well known or understood. The lolbas project is, in my view, seen as THE authoritative guide on abusing native binaries. wevtutil wasnt made for abuse, it was made for totally legimate tasks and not to be weaponized for defense evasion. I find alot of people refer to this project with dependency to learn/identify all there is to know about pre exsisting tools to in windows environments to evade defense. I do understand your guys point of view on the only documenting "unintended" functionality but maybe you guys could consider this as it is worth popularizing this attack vector that flies under the radar of many defenders |
2 participants
Wevtutil.exe is created by windows to be used by system administrator's and for mainly trouble shooting purposes; not for actors to abuse to hide their tracks or create visibility gaps. The binary really shines less when used to straight up clear logs, as it is useful to momentarily disable logs of interest to preform certain actions more stealthy and then resume logging as normal.
It is unlikely that defenders would notice a 2-3 minute gap in logging and thus can allow you crucial minutes to preform nosier/high risk activity while reducing risk of detection. Many red teamers and pentesters(at my workplace included) were not aware of the ability to pause logging and resume it with relative ease and expressed interest in having it handy. [Potentially others are in the same spot and would benefit from having it in the project!