I would like to mention
https://
This blog post describes the tool "eventlogedit", developed by the NSA and published by the Shadow Brokers group. AFAIK it describes the current most sophisticated tool to manipulate Windows Eventlogs. I`m quite sure we will see more successful manipulations of Eventlogs than ever. Before the release of eventlogedit it was nearly impossible to delete single Eventlogs entries and to maintain the integrity and hash verification of the file. But now it does not seem to be a problem.
Anyway,
best regards,
Robin
I and others tried using the tool this past spring after it was released, and could not get it to work…there was no discernible impact on the systems we tried. There were some who claimed that it worked, but were unable to thoroughly describe what they'd done, and unwilling to provide a target *.evtx file for examination.
I and others tried using the tool this past spring after it was released, and could not get it to work…there was no discernible impact on the systems we tried. There were some who claimed that it worked, but were unable to thoroughly describe what they'd done, and unwilling to provide a target *.evtx file for examination.
Well, in that case they did get away with it.
IIRC, the tool "unlinks" an eventlog entry so it becomes part of the earlier record and the entry is seen as overflow data. The information is there, it just isn't its own eventlog entry anymore. That is probably why you didn't see it.
If you dump it all out as text, the data should be there, just not as it's own record. I haven't played with it myself since i do not trust the Eventlog service to keep the integrity of logs - just because of such tools.
IIRC, the tool "unlinks" an eventlog entry so it becomes part of the earlier record and the entry is seen as overflow data. The information is there, it just isn't its own eventlog entry anymore. That is probably why you didn't see it.
I didn't see it because, as I mentioned in my case it didn't work…the tool failed to function.
In instances were folks claimed that it did work, they were unable/unwilling to provide any proof…not even screencaps of the event log, before and after, via MMC.