Skip to content
Windows Event Log Killer
PowerShell
Branch: master
Clone or download

Latest commit

Latest commit f1396c4 May 22, 2017

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Invoke-Phant0m.ps1 Add files via upload May 2, 2017
LICENSE Initial commit May 2, 2017
README.md Update README.md May 22, 2017

README.md

Invoke-Phant0m

This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.

I have made this script for two reasons. First, This script will help to Red Teams and Penetration Testers. Second, I want to learn Powershell and Low-Level things on Powershell for cyber security field.

Usage

PS C:\> Invoke-Phant0m
        _                 _    ___
  _ __ | |__   __ _ _ __ | |_ / _ \ _ __ ___
 | '_ \| '_ \ / _` | '_ \| __| | | | '_ ` _ \
 | |_) | | | | (_| | | | | |_| |_| | | | | | |
 | .__/|_| |_|\__,_|_| |_|\__|\___/|_| |_| |_|
 |_|


[!] I'm here to blur the line between life and death...

[*] Enumerating threads of PID: 1000...
[*] Parsing Event Log Service Threads...
[+] Thread 1001 Succesfully Killed!
[+] Thread 1002 Succesfully Killed!
[+] Thread 1003 Succesfully Killed!
[+] Thread 1004 Succesfully Killed!

[+] All done, you are ready to go!

Technical Details

https://artofpwn.com/phant0m-killing-windows-event-log.html

Video

PoC Video

You can’t perform that action at this time.