The windows is our friend!!! Windows Event Log Persistence

The windows is our friend!!! Windows Event Log Persistence

Fabricio Gimenes

The idea of ​​this lecture is to show some Phases/Techniques that are used during a redteam operation or even in a pentest in a Windwos environment.

The main focus is to show bypass and persistence techniques using Windows itself as our ally.

All the PoCs here were done in a controlled lab environment where some of the protection mechanisms were built in, like “Applocker to block Porwershell Script, Privilege Elevation and Persistence using event log”

During all the tests, I tried to use different techniques from the existing ones, thus showing a new approach.

– Bypass CLM “”PowerShell Constrained Language Mode””
– Elevation of Privilege Using WIX File to gain access as NT/AUTHORITY
– Persistence Using Windows EventLog

The initial idea is to show all the necessary phases during a RedTeam test on equipment controlled with the highest level of protection, and thus gain privileged access and thus allow persistence using EventLog Windows itself as our friend.

During testing it was possible to remain completely undetectable by Windows Defender.

Recon – Bypass Constraint Language Mode

We can use AppLocker to also block the execution of powershell scripts, thus creating a protection mechanism known as “”CLM – Constrained Language Mode”” which is used to prevent malicious users from executing powershell scripts at the common user level.

Therefore, it can make it difficult for the attacker or pentester to perform basic recons in search of a possible elevation of privilege or in search of credentials that can facilitate lateral movement.

During the CLM bypass we will use the Windows powershell runspace itself to perform a recon and asmi bypass in search of an elevation of privilege.


For the execution of this phase, it was necessary to create a script in C# to invoke the Powershell runspace and thus be able to do a complete Recon using PowerUp

-> C# script with runspace execution
-> Exploit download using native windows tools “”Certutil and bitsadmin””
-> The certutil we use to hide the exploit.
-> The bitsadmin we use to download and build the executable.

After doing this, which is a recon phase, it was possible to move on to the others to do next.

Elevation of Privilege

To carry out the elevation of privilege we will explore msi executables, where it is possible to install a program with nt/authority privilege, however, to carry out this attack we will use a new approach, where it is possible to use mxi “”xml”” files and Windows binaries to the construction of malicious MSI.

What is AlwaysInstallElevated

You can use the AlwaysInstallElevated policy to install a Windows Installer package with elevated (system) privileges.

Persistence – Windows EventLog

To maintain persistence and undetected by Windows Defender, we will again use Windows as our ally so that we can abuse the Windows event log to execute payloads that will be stored in rawdata, without any detection by Windows Defender.

In the year 2022, Kaspersky did research showing how new malware was using the Windows Event Log to maintain persistence and not be detected by Windows Defender.
After this research, little was heard about the subject and with that came the idea of ​​showing how it is possible to execute this exploit and a redteam operation or in a controlled test in a windows environment.


To execute this phase, it was necessary to create a C# script with some Win32 APIs so that it would be possible to execute the shellcode stored in the rawdata of the windows event log.

-> Creation of a new EventLog “”is only possible after doing the elevation of privilege””
-> To create a new EventLog we use the powershell itself.
-> Creation of a shellcode in hex so that it would be possible to store it in the Eventlog rawdata.
-> After creating a new EventLog, it was necessary to use it in the C# script that we created for the following actions.
-> Read our new EventLog
-> Run the rawdata content stored in HEX

Execution 2

For the execution of using only powershell it was necessary to use the following tools.

-> Creation of a new EventLog “”is only possible after doing the elevation of privilege””
-> To create a new EventLog we use the powershell itself.
-> xencrypt to encrypt our shell code in AES256
-> With the command generated by xencrypt it was possible to execute our shellcode stored in rawdata.


Fabricio Gimenes: PurpleTeam Manager at Telefônica Brasil, specialist with over 10 years of experience in offensive security “RedTeam/Pentest ”. Graduated in Cyber Defense, he also has some certifications related to offensive security “OSCP/OSWE/OSEP/CRTP ”.

More Upcoming Events

No hay próximos eventos en este momento.