Evading Logging and Monitoring

Task 1: Introduction

Q1: Read the above and continue to the next task.

Ans1: No answer needed

Task 2: Event Tracing

Q1: What ETW component will build and configure sessions?

Ans1: Controllers

Q2: What event ID logs when a user account was deleted?

Ans2: 4726

Task 3: Approaches to Log Evasion

Q1: How many total events can be used to track event tampering?

Ans1: 3

Q2: What event ID logs when the log file was cleared?

Ans2: 104

Task 4: Tracing Instrumentation

Q1: Read the above and continue to the next task.

Ans1: No answer needed

Task 5: Reflection for Fun and Silence

Q1: What reflection assembly is used?

Ans1: PSEtwLogProvider

Q2: What field is overwritten to disable ETW?

Ans2: m_enabled

Task 6: Patching Tracing Functions

Q1: What is the base address for the ETW security check before it is patched?

Ans1: 779f245b

Q2: What is the non-delimited opcode used to patch ETW for x64 architecture?

Ans2: c21400

Task 7: Providers via Policy

Q1: How many total events are enabled through script block and module providers?

Ans1: 2

Q2: What event ID will log script block execution?

Ans2: 4104

Task 8: Group Policy Takeover

Q1: What event IDs can be disabled using this technique? (lowest to highest separated by a comma)

Ans1: 4103, 4104

Q2: What provider setting controls 4104 events?

Ans2: EnableScriptBlockLogging

Task 9: Abusing Log Pipeline

Q1: What type of logging will this method prevent?

Ans1: Module logging

Q2: What target module will disable logging for all Microsoft utility modules?

Ans2: Microsoft.PowerShell.Utility

Task 10: Real World Scenario

Q1: Enter the flag obtained from the desktop after executing the binary.

Ans1: THM{51l3n7_l1k3_4_5n4k3}

Task 11: Conclusion

Q1: Read the above and continue learning!

Ans1: No answer needed