Reading and Writing to Eventlog

Having proper permissions -not much required- user can write text and binary data to event logs and retrieve them easily with:

Evt* EventLog APIs

Powershell

VBS & WMI

eventcreate.exe & wevtutil.exe

methods varies by features, as some allows adding binary data, changing user SID, some can only post text and so.

Write-EventLog -LogName "Application" -Source "Microsoft-Windows-User-Loader" -EventId 916 -EntryType Information -Message "Hello World" -Category 2 -RawData 65,66,67,68

previous powershell command will write to Application logfile, using User-Loader source, with event 916, and will include 4 raw bytes that will be formated as:

event with message formatted as its template

now to retrieve the message we call:

Get-EventLog -Newest 1 -LogName "Application" -Source "Microsoft-Windows-User-Loader" -Message "Provider Hello*"

Last event information

that will get us the latest event having the specified file, source and formatted message, then raw bytes and original replacement strings can be accessed directly.

different IDs can result in different formatted messages to look for, this allows us to hide different parameters inside the message to be extracted later on.

Now we were able to write and read we can use that to store a ‘fileless’ stage2 payload, and as logfiles are managed by system service, nothing suspicious in here, in fact, binary data can hold up to 32kb of data, that means we can even store sophisticated large payloads of empire, Meterpreter or any other payload and combine the chunks to rebuild the emipre.

for the purpose of demonstration, we can try to write some code, and read it back to read, using deflating to compress -despite the ration in here- and store it as raw bytes

Deflate payload and store it as raw data

now we can check and see how it looks in the eventlog viewer:

all we need next is to read and deflate the same way and then call Invoke-Expression to execute the decoded payload.