{
	"id": "1eeb496e-0c02-4d56-99cb-42d890880090",
	"created_at": "2026-04-06T00:21:02.889567Z",
	"updated_at": "2026-04-10T03:26:53.250706Z",
	"deleted_at": null,
	"sha1_hash": "8100c322f576ce246cd2760e5b936ca12dab7e13",
	"title": "Event Log Tampering Part 1: Disrupting the EventLog Service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 926075,
	"plain_text": "Event Log Tampering Part 1: Disrupting the EventLog Service\r\nBy svch0st\r\nPublished: 2020-10-03 · Archived: 2026-04-05 21:35:26 UTC\r\n6 min read\r\nOct 1, 2020\r\nWindows event logs are a fundamental source of data and evidence for incident response. Attackers will target this\r\nsource to slow down the response by clearing or tampering logs (T1070). Although there are other artefacts that\r\nthese activities would not be able to hide from, it is still a popular anti-forensic technique.\r\nYou Can’t See Me\r\nFor this set of blog posts, I wanted to focus on slightly more involved anti-forensic methods and look at\r\nexamples for each method, such as:\r\nPart 1: Disrupting the EventLog Service\r\nService Host Thread Tampering (Invoke-Phant0m)\r\nPatching the Event Service (Mimikatz)\r\nDowngrading Windows Components (Adding MiniNT key)\r\nPart 2: Manipulating individual event logs\r\nEvtx Structure \u0026 Manual Event Editing (A must-read to understand the following sections)\r\nEvent Record Unreferencing (Shadow Brokers Tools DanderSpritz/eventlogedit)\r\nRewriting Logs with WinAPI EvtExportLog (3gstudent’s evolutions of eventlogedit)\r\nPart 3: Combining Techniques\r\nJust for completeness sake, the more common and already heavily documented methods are:\r\nClear the Log\r\nExample: wevtutil cl Security or Clear-EventLog\r\nDetected by: Security Event ID 1102, System Event ID 104 or command line usage of wevtutil\r\nDisable the Event Log Service\r\nExample: sc stop EventLog\r\nDetected by: Service Control Manager Event ID 7035 or command line usage\r\nhttps://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c\r\nPage 1 of 6\n\nAlthough some of the more advanced methods will use these steps, I wanted to put these aside and focus on the\r\nmore involved techniques.\r\nDisrupting the EventLog Service\r\nThe goal of the methods I will go over below are to impact the service responsible for Event Logging that will\r\nresult in no logs recorded. This will leave a hole in your timelines or be used to clear the event log without being\r\nrecorded.\r\nService Host Thread Tampering\r\nLet’s quickly have a look at how the EventLog service runs. Each service will be associated with an instance of\r\nsvchost.exe so we need to find which one EventLog uses.\r\nYou can see below the EventLog service is running in the svchost.exe with a PID of 1436 .\r\nPress enter or click to view image in full size\r\nBelow are the threads that are related to the EventLog service in the svchost.exe process.\r\nPress enter or click to view image in full size\r\nThese are basically the worker threads of the service. If we can tamper with these, then we can affect the event\r\nlog. We will use the tool Invoke-Phant0m to showcase this method.\r\nhttps://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c\r\nPage 2 of 6\n\nInvoke-Phant0m uses the following steps:\r\n1. Detect the process of the Windows Event Log Service in the target\r\n2. Get thread list and identify the Windows Event Log Service thread IDs.\r\n3. Kill all threads about the Windows Event Log Service.\r\nThis list is from the following blog which also is a more detailed write up on how Phant0m works:\r\nOnce we run Invoke-Phant0m , it will locate all the threads associated with the EventLog service (see in the pic\r\nabove to compare thread IDs) and kill them.\r\nYou can now see that there are no threads in the svchost.exe process and there will no longer be events written to\r\nthe log.\r\nIf we restart the service using net stop/start eventlog , the threads return and the eventing starts to return with\r\nno indication of what happened in between.\r\nPress enter or click to view image in full size\r\nhttps://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c\r\nPage 3 of 6\n\nA time gap in logs from where I started Phant0m and restarted the service.\r\nThis technique is quieter than simply disabling the event service. During the time the threads are killed, you could\r\nclear the event log without leaving behind the Security Event ID 1102 indicator. Later on, we will also look at\r\njust suspending the threads instead of killing them with Phant0m.\r\nPatching the Event Service\r\nMimikatz currently has a module to be able to patch the event log service and then clear the log.\r\nThis method is simple but effective because it doesn’t leave behind the Security Event ID 1102 indicator when\r\nyou go to clear the log just like the first example.\r\nGet svch0st’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nMimikatz targets wevtsvc.dll (the Windows Event Service DLL) that is loaded in the svchost.exe responsible\r\nfor the EventLog service.\r\nHere is a link to the source code of the module.\r\nFirst, Mimikatz will find the function Channel::ActualProcessEvent depending on the Windows version using\r\npredefined patterns. This function is responsible for writing the events to the log.\r\nPress enter or click to view image in full size\r\nhttps://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c\r\nPage 4 of 6\n\nIt will then write 0xc3 (which is a ret , or x64 return instruction) or 0xC20400 (which is ret 4 for x86) at\r\nthe start of Channel::ActualProcessEvent using an offset and the position of the instructions found in the\r\nprevious step.\r\nMimikatz will have now modified Channel::ActualProcessEvent to always return before any action is taken\r\nplace.\r\nThis is only an in-memory modification so once the service is restarted or computer is rebooted, the EventLog\r\nservice will return to normal.\r\nDowngrading Windows Components\r\nThe existence of the MiniNT registry key will result in various Windows components thinking the environment is\r\nWinPE (Preinstallation Environment).\r\nOne of these components is the Event Log service! By adding the key below, we can test how the service reacts.\r\nreg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt”\r\nOnce we add the key and restart to load changes in the hive, and then open the event viewer, we are presented\r\nwith this error for any log:\r\nPress enter or click to view image in full size\r\nIf we manually check the file, all events up until the restart remain.\r\nhttps://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c\r\nPage 5 of 6\n\nWhen the key was active, the EventLog Service still ran, but the svchost.exe for it didn’t have a file handle on any\r\nof the .evtx files.\r\nWhen I deleted the MiniNT key and restarted the EventLog service (also tried rebooting), all of the events in the\r\nperiod that it was disabled were populated in security.evtx . They must be stored somewhere… Something to\r\ninvestigate further!\r\nThis method wouldn’t hide activity when restarting the service, unlike the other methods but does release the\r\nhandle access to the file for editing.\r\nSource: https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c\r\nhttps://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c"
	],
	"report_names": [
		"event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c"
	],
	"threat_actors": [
		{
			"id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5",
			"created_at": "2022-10-25T16:07:24.561104Z",
			"updated_at": "2026-04-10T02:00:05.03343Z",
			"deleted_at": null,
			"main_name": "Shadow Brokers",
			"aliases": [],
			"source_name": "ETDA:Shadow Brokers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434862,
	"ts_updated_at": 1775791613,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8100c322f576ce246cd2760e5b936ca12dab7e13.pdf",
		"text": "https://archive.orkl.eu/8100c322f576ce246cd2760e5b936ca12dab7e13.txt",
		"img": "https://archive.orkl.eu/8100c322f576ce246cd2760e5b936ca12dab7e13.jpg"
	}
}