Security News > 2024 > January > A zero-day vulnerability (and PoC) to blind defenses relying on Windows event logs

A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported versions of Windows could spell trouble for enterprise defenders.

"I have only tested the whole thing a few times in a domain network consisting of a Windows 10 machine and a Windows Server 2022 domain controller. I was able to crash the event log service of the domain controller as an unprivileged user from the Windows 10 machine, and that was about it."

While testing the PoC, the Acros team found that the Windows Event Log service will restart after two crashes, but not after a third one.

The team found that while the service is down, Security and System events will be put in an event queue so they can be written in the logs when the service restarts.

"During the service downtime, any detection mechanisms ingesting Windows logs will be blind, allowing the attacker to take time for further attacks - password brute-forcing, exploiting remote services with unreliable exploits that often crash them, or running every attacker's favorite whoami - without being noticed," Kolsek pointed out.

"If the company is using intrusion detection based on Windows event logs, an attacker making multiple attempts to login as another domain user might trigger alerts. Disabling the Event Log service would prevent such real-time detection."

News URL

https://www.helpnetsecurity.com/2024/01/31/windows-event-log-vulnerability/