Skip to main content



Hunting Event Logging Coverup

After my last post, there were some points, rightly raised by some friends, on how to detect execution of PS based tool like Invoke-Phant0m, which basically look for the event log service process (svchost.exe) and related threads which are responsible for event logging, after locating these threads, the tool terminates them. As a result, no more logs are recorded, no System, Security, Application, neither Sysmon or enhanced powershell logging etc. 
This pose a serious challenge as the adversary can easily execute this script first on the victim and then go about performing his/her malicious activities without registering any logs whatsoever. 
So in this post, we will look into 3 different scenarios and see how we can detect adversaries messing with event logging.

Scenario 1: Clearing the logs manually (when the adversary is able to use various mechanisms using local scrip execution, remote clearing of logs using meterpreter clearev or interactively right clicking the logs and clearing…

Latest Posts

Hunting Mimikatz Using Sysmon + ELK - Part 2 of Series