Home

Awesome

SharpNukeEventLog

nuke that event log using some epic dinvoke fu

Inspired by https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads and https://github.com/hlldz/Invoke-Phant0m

in order for this to compile you'll have to add System.Management to your refferences, which should be found here: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.5\System.Management.dll

Tested for x64 systems, pretty sure it wont work for x86 unless you do some magic with the IntPtr marshalling.

For red teamer, by a red teamer. I will not take part in the whole OST debate.

              /\                       |\**/|
             /  \                      \ == /
             |  |                       |  |
             |  |     EventlogNuker     |  |
            / == \       @jfmaes        \  /
            |/**\|                       \/



target found, nuke launched on the eventlog threads of PID: 1380
wevtsvc.dll found at 0x140733035708416
suspending eventlog thread 2204
suspending eventlog thread 2564
suspending eventlog thread 2568
suspending eventlog thread 2580


                  _.-^^---....,,--
             _--                  --_
            <                        >)
            |                         |
             \._                   _./
               ```--. . , ; .--'''
                     | |   |
                  .-=||  | |=-.
                  `-=#$%&%$#=-'
                     | ;  :|
            _____.,-#%&$@%#&#~,._____

        Eventlog nuked successfully!