Security News > 2024 > January > A zero-day vulnerability (and PoC) to blind defenses relying on Windows event logs
A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported versions of Windows could spell trouble for enterprise defenders.
"I have only tested the whole thing a few times in a domain network consisting of a Windows 10 machine and a Windows Server 2022 domain controller. I was able to crash the event log service of the domain controller as an unprivileged user from the Windows 10 machine, and that was about it."
While testing the PoC, the Acros team found that the Windows Event Log service will restart after two crashes, but not after a third one.
The team found that while the service is down, Security and System events will be put in an event queue so they can be written in the logs when the service restarts.
"During the service downtime, any detection mechanisms ingesting Windows logs will be blind, allowing the attacker to take time for further attacks - password brute-forcing, exploiting remote services with unreliable exploits that often crash them, or running every attacker's favorite whoami - without being noticed," Kolsek pointed out.
"If the company is using intrusion detection based on Windows event logs, an attacker making multiple attempts to login as another domain user might trigger alerts. Disabling the Event Log service would prevent such real-time detection."
News URL
https://www.helpnetsecurity.com/2024/01/31/windows-event-log-vulnerability/
Related news
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Patching problems: The “return” of a Windows Themes spoofing vulnerability (source)
- New Windows Themes zero-day gets free, unofficial patches (source)
- Windows Themes zero-day bug exposes users to NTLM credential theft (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- How a Windows zero-day was exploited in the wild for months (CVE-2024-43451) (source)
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks (source)