Blog link: working on it
-
Bypass windows eventlogs & Sysmon,only tested in win10_x64.
-
Only for red team purpose, and you need to change the codes if u use it for pentest.
-
You need administrator privilege to run it.
-
You also need administrator privilege to debug or test the code(In VS).
-
Feel free to make any issues or advice.
Process Explorer
-
Remove the “System.Threading.Thread.Sleep” in main function,the “System.Threading.Thread.Sleep” is for debugging purpose.
-
Run it with administrator privilege, for that you gonna need to bypass UAC first.(which I will update a bypass UAC project soon).
-
if u need to debug or test it you need to run VS with administrator privilege first, open a powershell or a cmd with administrator privilege and run your VS(
- Restruct code
- NONE
-
https://www.pinvoke.net/search.aspx?search=NtWriteVirtualMemory&namespace=[All]
-
https://wj32.org/wp/2010/03/30/howto-use-i_querytaginformation/
-
https://github.com/3gstudent/Eventlogedit-evtx--Evolution/blob/master/SuspendorResumeTidEx.cpp
-
https://artofpwn.com/2017/06/05/phant0m-killing-windows-event-log.html
-
https://github.com/3gstudent/Windows-EventLog-Bypass/blob/master/WindowsEventLogBypass.cpp
-
https://www.pinvoke.net/default.aspx/advapi32.adjusttokenprivileges
-
https://www.pinvoke.net/default.aspx/kernel32/SuspendThread.html