EvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging

EvtMute is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging.

Usage

Grap the latest version from here. EvtMuteHook.dll contains the core functionality, once it is injected it will apply a temporary filter which will allow all events to be reported, this filter can be dynamically updated without having to reinject. I’ve written SharpEvtMute.exe which is a C# assembly that can easily run via execute in shad0w or execute-assembly in cobalt strike. I will be writing a native version in C for much better integration with shad0w.

Disabling Logging

A trivial use case would be to disable event logging system wide. To do this we can use the following yara rule.

rule disable { condition: true }

We will need to start by injecting the hook into the event service.

.\SharpEvtMute.exe –Inject

Now that the hook is placed we can add the filter.

.\SharpEvtMute.exe --Filter "rule disable { condition: true }"

Now all events will be dropped by the event service.

rule block_lsass_dump {
meta:
author = “@batsec
description = “Prevent lsass dumping being reported by sysmon”
strings:
$provider = “Microsoft-Windows-Sysmon”
$image = “lsass.exe” nocase
$access = “GrantedAccess”
$type = “0x1fffff”
condition:
all of them
}

Complex Filters

Filters can be dynamically changed without having to reinject a hook. This makes it quick and easy to update the active filter.

An example of a more complex filter would be this. It is capable of blocking the events related to a lsass memory dump from being reported by sysmon.

With a complex rule like this it is much harder to condense it into a single line. This is why I added the ability to give base64 encoded rules.

The rule can easily be converted to base64 from a linux command line.

base64 -w 0 YaraFilters/lsassdump.yar | echo $(</dev/stdin)

Then using the --Encoded flag we can pass it as a filter

Opsec Considerations

When injecting the hook SharpEvtMute.exe will call CreateRemoteThread and this call is made before the hook is placed so it will be reported by Sysmon. This is because the injection feature of SharpEvtMute.exe should only be used as a PoC. I recommend manually injecting EvtMuteHook.dll into the event logging service when stealth is important.

It’s pid can be found by running SharpEvtMute.exe --Pid. The hook can be placed by manually injecting the shellcode (run make in EvtMuteBin) via your C2 framework of choice, e.g shinject in shad0w.

It is also worth mentioning that the hook will use a named pipe to update filters. The named pipe is called EvtMuteHook_Rule_Pipe (this named can be changed easily). There is a rule hard baked into the hook to ensure that any events including this name will be dropped automatically but it will still be an IOC having it listening, so I recommend changing it.

Community Filters

If you create some useful filters feel free to make a pull request to the YaraFilters directory. It would be cool to have a good collection of filters to hide common actions that everyone can benefit from.