Skip to content

wisdark/Invoke-Phant0m

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 

Repository files navigation

Invoke-Phant0m

This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.

I have made this script for two reasons. First, This script will help to Red Teams and Penetration Testers. Second, I want to learn Powershell and Low-Level things on Powershell for cyber security field.

Usage

PS C:\> Invoke-Phant0m
        _                 _    ___
  _ __ | |__   __ _ _ __ | |_ / _ \ _ __ ___
 | '_ \| '_ \ / _` | '_ \| __| | | | '_ ` _ \
 | |_) | | | | (_| | | | | |_| |_| | | | | | |
 | .__/|_| |_|\__,_|_| |_|\__|\___/|_| |_| |_|
 |_|


[!] I'm here to blur the line between life and death...

[*] Enumerating threads of PID: 1000...
[*] Parsing Event Log Service Threads...
[+] Thread 1001 Succesfully Killed!
[+] Thread 1002 Succesfully Killed!
[+] Thread 1003 Succesfully Killed!
[+] Thread 1004 Succesfully Killed!

[+] All done, you are ready to go!

Technical Details

Phant0m: Killing Windows Event Log - https://artofpwn.com/2017/06/05/phant0m-killing-windows-event-log.html

Video

PoC Video

Acknowledges

About

Windows Event Log Killer

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 89.3%
  • C++ 10.7%