{
	"id": "d2675f47-f4cf-4ba6-be7d-4382753b73e8",
	"created_at": "2026-04-06T00:21:20.34387Z",
	"updated_at": "2026-04-10T03:23:52.124717Z",
	"deleted_at": null,
	"sha1_hash": "8866f322cfae788f307a071a39945363d348829f",
	"title": "Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45536,
	"plain_text": "Report\r\nArchived: 2026-04-05 20:34:32 UTC\r\n-- (Type-Attack A) The first one is to create the Registry Key\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\" . This action will not generate Security\r\nEventLog 4657 or Sysmon EventLog 13 because the value of the key remains empty. However, if an attacker uses\r\npowershell to perform this attack (and not cmd), a Security EventLog 4663 will be generated (but 4663 generates\r\na lot of noise).\r\n-- (Type-Attack B) The second way is to disable the service EventLog (display name Windows Event Log). After\r\ndisabed, attacker must reboot the system. The action of disabling or put in manual the service will modify the\r\nRegistry Key value \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\start\" , therefore\r\nSecurity EventLog 4657 or Sysmon EventLog 13 will be generated on the system.\r\n-- (Type-Attack C) The third way is linked with the second. By default, the EventLog service cannot be stopped.\r\nIf an attacker tries to stop the service, this one will restart immediately. Why ? Because to stop completely, this\r\nservice must stop others, one in particular called netprofm (display name Network List Service). This service\r\nremains running until it is disabled. So Attacker must either disable EventLog and after to stop it or disable\r\nnetprofm and after stop EventLog. Only stopping the service (even as admin) will not have an effect on the\r\nEventLog service because of the link with netprofm. Security EventLog 1100 will log the stop of the EventLog\r\nservice (but also generates a lot of noise because it will generate a log everytime the system shutdown). We can\r\nstop the service (with Stop-Service) only if we disable it with the commands Set-Service or sc config. Direct\r\nmodification of the registry key using reg add, New-ItemProperty, Set-ItemProperty will disable the service only\r\nafter system restart.\r\n-- (Type-Attack D) The fourth way is to use auditpol.exe to modify the audit configuration and disable/modify\r\nimportant parameters that will lead to disable the creation of EventLog.\r\n-- (Type-Attack E) The fifth way is to modify the Registry Key value\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security\\file\" (or other kind of log) to\r\nmodify the path where the EventLog are stocked. Importantly, with this technique, the EventViewer will use the\r\nvalue of the Registry Key \"file\" to know where to find the Log. Thus, using the EventViewer will always show\r\nthe current event logs, but the old one will be stocked in another evtx. Also, the location of the file must be\r\nwritable by the Event Log service and should only be accessible to administrators. Attacker can also decrease the\r\nmaxsize value of the Log to force the system to rewrite on the older EventLog (but the minimum cannot be less\r\nthan 1028 KB). As the Registry key is modified, Security EventLog 4657 or Sysmon EventLog 13 will be\r\ngenerated on the system. All of these attacks required administrative right. Attacks number three, four and five do\r\nnot require a system reboot to be effective immediately.\r\n-- (Type-Attack F) Fixed in Windows 11 version One discovered during my LAB is a new way to disable\r\nSecurity EventLog without needing the administrator privilege (tested on Microsoft Windows [Version\r\n10.0.17763.1935]). A non-admin user can modify the \"start\" value in the registry\r\nhttps://ptylu.github.io/content/report/report.html?report=25\r\nPage 1 of 2\n\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Security\" to completely\r\ndisable the Security EventLog. However the system reboot is required to take effect. After the reboot, a System\r\nEventlog 22 is generated and the Security EventLog will be Completely Unavailable. Adversaries may also\r\nmodified the \"start\" value in the registry\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-System\" and\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Application\" to disable\r\nall the EventLog and will be Partially Unavailable. Administrator privilege required. Adversaries may also modify\r\nthe \"enabled\" values in \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\" or value \"start\" in\r\n\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational\" and Sysmon EventLog will be Completely Unavailable. Administrator privilege required.\r\n-- (Type-Attack G) Attacker may use the powershell command \"Remove-EventLog -LogName Security\" to\r\nunregister source of events that are part of Windows (Application, Security…). This command deletes the security\r\nEventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is\r\nrebooted . After the System is rebooted, the Security log is unregistered and doesn’t log any new Eventlog.\r\nHowever logs generated between the command and the reboot are still available in the .evtx file (Partially\r\nUnavailable). This command disables Logs (reboot required) AND deletes EventLogs (reboot NOT required).\r\nAttack also present in REP-26-D\r\nNote: We can define the result of the logs availability in 3 categories:\r\n- Completely Unavailable (lost after the configuration revert)\r\n- Partially Unavailable (available after the configuration revert (if log rewriting not done))\r\n- Available in Other File (available in other location)\r\nSource: https://ptylu.github.io/content/report/report.html?report=25\r\nhttps://ptylu.github.io/content/report/report.html?report=25\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://ptylu.github.io/content/report/report.html?report=25"
	],
	"report_names": [
		"report.html?report=25"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434880,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8866f322cfae788f307a071a39945363d348829f.pdf",
		"text": "https://archive.orkl.eu/8866f322cfae788f307a071a39945363d348829f.txt",
		"img": "https://archive.orkl.eu/8866f322cfae788f307a071a39945363d348829f.jpg"
	}
}