HackTool - SharpEvtMute Execution

About the rule

Rule Type

Standard

Rule Description

Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Privilege escalation → Tool deployment → Event log tampering → Evidence removal → Stealth persistence

Impact

• Log manipulation
• Evidence removal
• Detection evasion
• Forensic obstruction

Rule Requirement

Prerequisites

• Using Windows event viewer:

To configure detailed process tracking, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC) by running gpmc.msc. Create a new GPO or modify an existing one linked to the appropriate OU, then navigate to Advanced Audit Policy Configuration and enable Audit Process Creation and Audit Process Termination by selecting the Success option. For enhanced tracking, go to Administrative Templates > System > Audit Process Creation and enable the setting to include command-line information in process creation events. Additionally, ensure that the registry key Microsoft-Windows-Security-Auditing/Operational exists under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ for proper event logging.

• Using Sysmon:

Download and install Sysmon from Microsoft Sysinternals, then open a Command Prompt with administrator privileges. Use or create a configuration file that includes process creation monitoring, and install Sysmon using the command sysmon.exe -i [configfile.xml]. Ensure the configuration captures all process creation events, and create the registry key Microsoft-Windows-Sysmon/Operational under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ if it doesn't already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Impair Defenses - Disable Windows Event Logging (T1562.002)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

1. NIST SP 800-53 – AU-4: Audit Storage Capacity

Ensures audit logs are retained and protected from tampering or deletion.
Triggering this rule alerts security teams to attempts at modifying or suppressing event logs, helping safeguard audit data integrity.

2. NIST SP 800-53 – AU-6: Audit Review, Analysis, and Reporting

Requires reviewing and analyzing audit logs to detect suspicious activity.
Triggering this rule identifies efforts to evade logging mechanisms, enhancing the reliability and completeness of audit reviews.

3. NIST SP 800-53 – SI-4: System Monitoring

Mandates continuous monitoring for signs of unauthorized or malicious activity.
Triggering this rule detects stealth techniques aimed at concealing attacker actions, supporting proactive threat monitoring.

4. NIST SP 800-53 – IR-5: Incident Monitoring

Calls for tracking incidents and detecting ongoing malicious behavior.
Triggering this rule supports early detection of log tampering, aiding in quicker incident identification and response.

5. NIST SP 800-171 – 3.3.1: Generate Audit Records

Requires generating audit logs for security-relevant events and ensuring their accuracy.
Triggering this rule uncovers attempts to suppress audit trail evidence, helping maintain accurate and complete audit records.

6. NIST CSF – DE.CM-1: Detect Anomalies and Events

Supports detection of events that deviate from expected behavior.
Triggering this rule highlights abnormal activity like log suppression, strengthening anomaly detection capabilities.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

This rule will be triggered if SharpEvtMute is executed during authorized red team assessments or security tool testing in controlled environments. It may also generate false positives when legitimate researchers run the tool for forensic or detection validation purposes.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Isolate the affected system to prevent further log tampering and maintain the integrity of security monitoring.
5. Investigation: Correlate the event with other log data to uncover potential attacker activities that may have been hidden or erased.

Mitigation