While not exactly what you are looking for this tool can selectively remove entries from the NT/2K event log. Does not work remotely and requires admin access. http://www.ntsecurity.nu/toolbox/winzapper/ From his FAQ: Q: Is it possible to add your own "made up" event records to the log? A: Yes, that's possible, but I haven't added that feature becuause I think it's too nasty. ;-) You could insert completely "made up" records anywhere in the log. Adrien ----- Original Message ----- From: "Tina Bird" <tbird@precision-guesswork.com> To: "Mr Rufus Faloofus" <foofusat_private> Cc: <pen-testat_private>; <jon.bullat_private>; <marvin.marinat_private>; <tbird@precision-guesswork.com> Sent: Wednesday, December 05, 2001 4:16 PM Subject: Re: Writing to Windows Security Log > Let me provide more details. > > We all understand that one of the big problems with > UNIX syslog-the-network-protocol is that it's UDP - > not authenticated, not reliable. An evildoer who > wants to make my logs less trustworthy can easily > send bogus data to my central loghost, at a minimum > introducing nonsense into my audit stream, and at > a maximum, knocking the loghost off line. > > As explained below, a Windows application or service > that registers itself with the Event Log service can > write messages to the Windows System and Application > Logs. So one way for me to introduce a roughly > equivalent source of bogus data into an Event Log stream > is to register an illegitimate application with > associated DLL with the Event Log service. I expect > that's a relatively straightforward thing to do, given > how easy it is to install back doors on Windows boxes -- > although one doesn't typically write back doors with lots > of logging capabilities, it might make sense to create > a program that muddied up the logs. > > However, the only things on a Windows box that can write > to the >Security< Event Log are the LSA and the Event > Log service itself, which have the SeAuditPrivilege. > This suggests that the Security Event Log has a much > higher level of assurance than anything in the off-the-shelf > UNIX world. > > This conclusion startled me ;-) so I figured I'd ask this > group if anyone knew of a tool that would get around > this access restriction. Does that clarify what I'm > after? > > thanks -- tbird > > On Wed, 5 Dec 2001, Mr Rufus Faloofus wrote: > > > At 07:26 PM 12/4/01 -0600, Tina Bird wrote: > > >Anyone out there have a tool that allows me to > > >forge Windows Security Event Log data? > > > > Depends what you mean by "forge," and what kind of access > > you have to the machine. To log an event, the Right Way is > > to register a DLL with your messages in it. It's not hard > > (see LOGEVENT.EXE from the resource kit, or section 15.2 in > > Marshall Brain's Win32 SYSTEM SERVICES: The Heart of Windows > > 95 and Windows NT [Prentice Hall PTR: NJ]: 1996), and you > > can roll your own. > > > > But these don't "forge" events, in the sense that the > > events they record are legitimate messages, and don't appear > > to come from bogus sources. So, for example, if you want > > to insert an apparent IIS message into a log (not using > > IIS), this would be hard. Also, we're assuming, so far, > > that you have NetBIOS access to the machine in question. > > > > If you want to insert arbitrary false messages into the > > files, that's complicated: the logging API doesn't permit > > it, and you'd be relegated (I think) to either finding a > > flaw in it-- like the recent discussions involving URLs > > with special characters embedded in them (but related to > > the security log, instead of the application log), or to > > programmatically editing the log files (which also is > > tricky, I bet). > > > > Does this help at all? > > > > --Foofus. > > > > > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 13:54:41 PST