Join Us!

Editing Windows Eve...
 
Notifications
Clear all

Editing Windows Event Log and a big Thank you!  

  RSS
Bunnysniper
(@bunnysniper)
Active Member

I would like to mention

https://blog.fox-it.com/2017/12/08/detection-and-recovery-of-nsas-covered-up-tracks/

This blog post describes the tool "eventlogedit", developed by the NSA and published by the Shadow Brokers group. AFAIK it describes the current most sophisticated tool to manipulate Windows Eventlogs. I`m quite sure we will see more successful manipulations of Eventlogs than ever. Before the release of eventlogedit it was nearly impossible to delete single Eventlogs entries and to maintain the integrity and hash verification of the file. But now it does not seem to be a problem.

Anyway, Fox IT released a tool to detect those manipulations at Github and i just want to say "Thank you". Thanks a lot to Fox IT, Harlan, Eric, Joakim and all other regulars here at ForensicFocus for releasing their tools to the public and making the life of an Incident Responder a lot easier. Thanks for that!

best regards,
Robin

Quote
Posted : 09/12/2017 9:01 pm
keydet89
(@keydet89)
Community Legend

I and others tried using the tool this past spring after it was released, and could not get it to work…there was no discernible impact on the systems we tried. There were some who claimed that it worked, but were unable to thoroughly describe what they'd done, and unwilling to provide a target *.evtx file for examination.

ReplyQuote
Posted : 10/12/2017 12:20 pm
MDCR
 MDCR
(@mdcr)
Active Member

I and others tried using the tool this past spring after it was released, and could not get it to work…there was no discernible impact on the systems we tried. There were some who claimed that it worked, but were unable to thoroughly describe what they'd done, and unwilling to provide a target *.evtx file for examination.

Well, in that case they did get away with it.

IIRC, the tool "unlinks" an eventlog entry so it becomes part of the earlier record and the entry is seen as overflow data. The information is there, it just isn't its own eventlog entry anymore. That is probably why you didn't see it.

If you dump it all out as text, the data should be there, just not as it's own record. I haven't played with it myself since i do not trust the Eventlog service to keep the integrity of logs - just because of such tools.

ReplyQuote
Posted : 10/12/2017 4:04 pm
keydet89
(@keydet89)
Community Legend

IIRC, the tool "unlinks" an eventlog entry so it becomes part of the earlier record and the entry is seen as overflow data. The information is there, it just isn't its own eventlog entry anymore. That is probably why you didn't see it.

I didn't see it because, as I mentioned in my case it didn't work…the tool failed to function.

In instances were folks claimed that it did work, they were unable/unwilling to provide any proof…not even screencaps of the event log, before and after, via MMC.

ReplyQuote
Posted : 11/12/2017 5:41 pm
Share: