Windows EventLog Persistence: Abusing Event Logs for Undetectable Red Team Access

hello everybody uh first of all thank you besides for gling me here uh I appreciate this opportunity this is my first International Conference but I'm very nervous um sorry because about my English I don't know if you understand something that I say here but I'm here okay today uh I'm going to talk about Windows Event log and persistent and how you can use the windows to create a some persistent and dislo uh some vulnerabilities okay okay about me uh my name is Fabo janz uh I have 11 years old with offensive security um I have some certification that I I don't like exactly certification but I have ocp oswe uh s2p uh also I spok in some

conference in Brazil Brazil is very good place if you visit Brazil let me know I can help you uh look around uh good good uh place here we go the place there sorry uh besides s Paulo woohoo no bites uh ATC e party this is my link within is my Twitter um disclaimer uh nothing can say here uh represent my company uh that all how you say represent is my responsibility that's okay yeah uh let me explain about this in Brazil uh it's very common you the company use some talk uh to to block uh the employees during the the the the talk and then we uh the the company maybe obligation was put this

inside the talk uh the motivation um my motivation about this talk um I love some some techniques like um prev escalation and domain admin principal wi those environments um and then during One internal engagement to Red Team I found a lot of vulnerability in Windows uh environment uh but I I found a difficult way to exploit and to create some persistent and again um local administrators something like that um about agenda uh I will talk about attack uh red attack simulation power shell consolation language mode Uh custom run space and Recon uh this is a good feature that Microsoft creating um to help a blue team for improve the security environment practical um prev escalation what the prev escalation our

installer elevated and the new approach um practical persistent this is my preference techniques during the web team engagement what are the persistent and Windows Event log okay um before uh I start my talk I would like talk about the some phases during the right to engagement um my main goal here is explain about the Recon Recon is very good techniques and very good important techniques that we have during the to engagement because during the recall techniques we can found a lot of vulnerability and a lot of misconfiguration that we can exploit them uh after that the local privilege escalation is another good technique that we can uh look around uh because as we know doing the reg engagement to our

print testing we need uh some user that the that have a high privilege to do something that we cannot do with normal user and to finally we have the persistent techniques uh this is a good thing during the persist technique do we have um okay before I explain this in a lot of Windows environment we have some ADR the ADR is uh like a crowd strike or something like uh ADR um the block created some persistence it's very important that you look around this because when you create some persistence uh with for example Windows TX list uh Windows Defender or Crow strike blockes and then in this techniques I will uh use the new approach Windows Event log

to create a new persistence uh that the Windows Defender and the crow strike one detectable these techniques is very important okay let's talk about conation language mode is it's very complicated to all this okay uh as I mentioned before the conation language mode the Microsoft created the consolation language mode I don't know how much years ago but this is very good feature that Microsoft created this feature help a lot of blue team uh and the S admin whatever to protect power show environments and then when the Microsoft created this feature Microsoft look around okay are you Crea the fure to help some people and I my intention here is block wrong people executed bad script or wrong script

inside of the par shell uh in this case in the consal languages there are three different types different types in cellation language mode the first type is full language mode what means full language mode full language mode means that you can executed uh whatever you want inside the power shell and and then we can uh create a reverse shell we can create um persistence we can write the IM Hawker and then the power shell does block you uh the second type have in in constellation language mode is uh with constellation language mode what means this uh this feature um does block you write uh something in par shell but we can write specific think inside the par

shell other the the the last one we have is restriction language mode the Restriction language modes block all the people all the power sh script that you you want uh execute

this okay um there are many ways to and La the conation the conation language mode but um here I have two different uh one type that you can use for enable this feature uh the first one as we can see here uh we have uh I just executed the script in power shell to check if you have some blocks okay and then as you can see here we have uh full language mode what means this this this uh means that I can write everything inside the par shell if I want uh enable the conation language mode I can just write this string inside the power shell okay and uh with this word conation language mode after that uh if you executed the

semis script the power shall return the consolation consolation language mode is enabled and then if I write I'm a hacker the power shell block me okay uh but this uh is the problem this is fast this is easy way to enable the consolation consolation language mode but when you open the new session in power shell uh we can bypass this because uh the conso the this feature sorry uh this feature just working in the session par shell if you open a new session we can bypass

this okay uh in my opinion uh in and then during my researching I found a different ways to enable this feature uh in my opinion this way is a better way okay we can open uh app loog to enable this feature uh and then we can create uh this whole here deny PS e PS1 sorry about par shell what means this uh this means that you can block uh all script that you need uh executed in par shell okay other way to enable the consolation language mode is uh through regit the regit is good way in my opinion this work for me and then we can create a key environment and then you can put inside this this

key with five uh four

sorry oh yeah okay um a little explanation about run space uh I don't know if everybody here know about run space the Run space is a very good technique that Microsoft implemented inside the par shell uh the one space working together with the par shell and then if you open a power shell session behind the power shell um the running space working to execut some script and then I use the r space to bypass the conol language mode okay uh there are two different types of run space the first type is local run space this is our case SP okay because this uh uh during my engagement uh um I use the physical uh machine the other type has

is remote run space this is uh for the ones is not important because I use just a local run space to bypass something that's how you want okay um I'm not developer okay but my to working uh in Brazil you we can uh name uh Frank stain the Frank stain is the script that you created to help you during your engagement uh this this script I I created this script with s sharp s Sharpie is very good language no um and then the first thing that I created was consol right line the pin can the pin user can be do everything that you want I love the puin the puin is very delicious uh dessert have in Pur his

have too and then after that uh I will call some uh net uh application to install my script and after install my script I use another uh type to one stall this is very important during my my my proof of con concept because I don't use external tools I just use net tools okay and then um okay why how I can uh executed some scrip some bad scripty or some payloads without the defender blocking my execution or without the crowd strike block this um the first thing that you can do here here is um bypass the MSI this is important and then I created the first string the first string uh call the remote machine that they are MSI

bypass after that I use the power up the power up is very good tool and Powerful tool that helped us um to do something inside the the machine and after that I create another string to bypass um to elevate the privilege uh and open the new session with local administrator and here I call the one space uh as I mentioned before the one space is important technique that we can uh executed here and then uh I will call the first string fgp 01 fgp 02 and the FTP 03

okay uh as I mentioned before in my beginning this talk I use the consolation language mode okay to uh executed my Recon and look around some techniques or some vulnerability that I have inside the machine to uh creating um prev escalation and create a new user or open new session with local administrator okay in this case as we can see uh I use the c u to encode my payloads okay and then I encode my P loads like a certification uh after that I use the the command inside the windows the bit admin the bit admin is powerful tool to transfer my payload encoder in my remote machine and I will save this payload in

task and code do x uh after that I use the cute to decode this save in Windows task uh why I save my script in Windows task in majority of case the ADR or the fender don't look around in Windows tasks just look around uh different uh folders and then uh okay I I save my encode dot uh txt and after I save with XY by pass and I use the net to install without log to install my um

payload okay prev escalation ours installer elevator and new approach I don't know if you um know about this this vulnerability this old vulnerability approximately approximately 10 years ago uh but I I found a new approach to elevated prev escalation with this techniques okay but what is the prev escalation everybody know about the prev escalation here but there are different types of prev escalation in my opinion uh Windows prev escalation more uh s sophisticated technique that we can uh use and then we can exploit this ours elevated installers uh what means water Elevate W ours elevated installer uh our elevat installer mean that we can uh install MSI program inside the windows with high previous previous um user uh what means this uh

this means that you can install the program or whatever you want with administrator or you can create in a local administrator and put this you use in local administrator group okay okay as I mentioned before uh I use a new approach for this uh there are one approach the older approach in met pror met pror they are one payload that you can use for creating MSI program and install this but I use Wix file Wix file is like a xmail file that you can create and can modify something that you want inside this file and then in my case here I just uh um yeah I just creating a new SE a new power sell

session okay this is XML file and then I open the new par shell session with a local administrator

okay okay what persistence uh this is very good techniques I love this because uh during the r te engagement you we can return our environment to do something that we cannot do in L time that we have uh

do okay uh let me explain here one thing uh during my my researching I I found a lot of uh different techniques that creating uh persistence but in my opinion when you're creating some persistent for example Windows TX list or reg D something like that the defender or crowd strike can block you and then in this case Defender don't look around uh windows in um Windows Event log the ADR don't look uh don't block something inside this okay um Windows Event log uh I will explain here about Windows Event l log everybody here know about this but I explain what difference between uh event log and application event log the Windows Event log is uh

the Microsoft created this to uh create some uh if you execute some some command inside the Powershell or CD they normally create a new event okay but uh Windows application event log is different okay for you create some Windows Event application log you need uh administrator local administrator to do this and then this is my uh approach okay I use my last prev escalation to creating a persistent inside the Windows application log okay windows applic or Windows Event log concept why I choose uh Windows application log Windows application log they are uh a lot of fields inside this uh the first field have a log key search date time event Test category level computer and

EV data uh event data in in our case is very important because I use a ventilator to uh create my Shell Code and create my reverse shell

okay oh oh yeah uh okay after uh I executed my Recon I executed my prev escalation uh I have a local administrator and then I can creating a new application Windows application event log with my uh shell code first I create my event log the event log name po pin s pin all the things after that I created uh the Shell Code with MSO with x uh format here as my payload and then I need uh create I I need put this Shell Code inside the Windows application log and then I use the hash bite and replace some uh Bad characters that Microsoft that uh met created for me and then after that I write um my

shell code inside the H data okay the number eventually is uh this is my this number the how data is called the hash B array sorry I nervous okay uh after creating uh Windows application log I need to call this application log this is Windows Windows Event application log and I need executed my show code inside this uh Windows application log uh as I mentioned before I'm not developer and I create another script to help me uh this script call uh my event log okay after that uh this is script called po pin this is my last event log I created and then I need to read the whole data fields um and then I here I create the

string to uh read this whole data and of course I need to use some uh Windows API create thread write um yeah write thread and to lock this is common API Windows that's ADR look around this API and the a lot of Defender for example or crowd strike look around this API because this is very danger for for for the

windows okay let's go P the

F oh oh

here okay here we show uh about the consolation language mode as we can see here we have uh the consolation language mode enable I'm me hacker the the conation language mode block this uh line

uh here I use the C to to encode my payload okay

okay here I use the bit admin to transfer my external payload to local machine

okay I need to

wait yeah uh here let me

okay here we go yeah here uh as we can see here we have en code payload MSI bypass and power up

after some minutes we have the Recon result as we can see here we have ours Elevate installer

vulnerable here we go uh here we have a new session with uh local administrator

user I created a new application event log uh putting all the things with my shell code

yeah this is important as we can see we have the fender enabl here and the fender is a beautiful ADR Microsoft Creator but 1 forly

the matter the

session okay important uh yeah important during my research I created a task Windows task uh because I want to execute this same script during 10 minutes or uh five minutes

okay I have a shell here I'm nervous I I write shell but I need to open the session first

okay thank you this is my uh officer Linkin offical if you want talk with [Applause] me if you have some question please let me know any questions

cool um you're writing the shell code to a event log most event logs are set up to eventually be deleted when uh they're filled up with other events is that a good idea that's where you're getting where you're placing your persistence sorry um I'm not hear you very well can you repeat please yeah um you're putting your shell code in an in an event yeah right and normally event logs are set up to only have a certain amount of space when they fill up with events your your event will be delated ah yeah okay um in this case I I want to I I create the I put the show code inside the the Windows

application log and if you want to create another event you can create another event with another name and then you can put your shell codes inside then again I don't know if you I understand correct question but this is answer okay more question thank you so much thank you