Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jfmaes/SharpNukeEventLog
nuke that event log using some epic dinvoke fu
https://github.com/jfmaes/SharpNukeEventLog
Last synced: 22 days ago
JSON representation
nuke that event log using some epic dinvoke fu
- Host: GitHub
- URL: https://github.com/jfmaes/SharpNukeEventLog
- Owner: jfmaes
- License: apache-2.0
- Created: 2021-05-12T18:21:55.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2021-05-12T18:31:57.000Z (over 3 years ago)
- Last Synced: 2024-05-08T01:31:14.223Z (7 months ago)
- Language: C#
- Size: 49.8 KB
- Stars: 114
- Watchers: 4
- Forks: 16
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - jfmaes/SharpNukeEventLog - nuke that event log using some epic dinvoke fu (C# #)
README
# SharpNukeEventLog
nuke that event log using some epic dinvoke fu
Inspired by https://www.ired.team/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads and
https://github.com/hlldz/Invoke-Phant0m
in order for this to compile you'll have to add `System.Management` to your refferences, which should be found here: `C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.5\System.Management.dll`
Tested for x64 systems, pretty sure it wont work for x86 unless you do some magic with the IntPtr marshalling.
For red teamer, by a red teamer.
I will not take part in the whole OST debate.
```
/\ |\**/|
/ \ \ == /
| | | |
| | EventlogNuker | |
/ == \ @jfmaes \ /
|/**\| \/
target found, nuke launched on the eventlog threads of PID: 1380
wevtsvc.dll found at 0x140733035708416
suspending eventlog thread 2204
suspending eventlog thread 2564
suspending eventlog thread 2568
suspending eventlog thread 2580
_.-^^---....,,--
_-- --_
< >)
| |
\._ _./
```--. . , ; .--'''
| | |
.-=|| | |=-.
`-=#$%&%$#=-'
| ; :|
_____.,-#%&$@%#~,._____
Eventlog nuked successfully!
```