HackTool - SharpEvtMute Execution

 1title: HackTool - SharpEvtMute Execution
 2id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c
 3related:
 4    - id: 49329257-089d-46e6-af37-4afce4290685 # DLL load
 5      type: similar
 6status: test
 7description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
 8references:
 9    - https://github.com/bats3c/EvtMute
10author: Florian Roth (Nextron Systems)
11date: 2022-09-07
12modified: 2023-02-14
13tags:
14    - attack.defense-evasion
15    - attack.t1562.002
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection:
21        - Image|endswith: '\SharpEvtMute.exe'
22        - Description: 'SharpEvtMute'
23        - CommandLine|contains:
24              - '--Filter "rule '
25              - '--Encoded --Filter \"'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

• GitHub - bats3c/EvtMute: Apply a filter to the events being reported by windows event logging

  

  Apply a filter to the events being reported by windows event logging - bats3c/EvtMute

  
  Read More

Related rules

• Audit Policy Tampering Via Auditpol
• Audit Policy Tampering Via NT Resource Kit Auditpol
• Change Winevt Channel Access Permission Via Registry
• Disable Windows Event Logging Via Registry
• Disable Windows IIS HTTP Logging