{"id":12060,"date":"2021-01-11T09:41:25","date_gmt":"2021-01-11T04:11:25","guid":{"rendered":"http:\/\/kalilinuxtutorials.com\/?p=12060"},"modified":"2021-01-11T09:41:25","modified_gmt":"2021-01-11T04:11:25","slug":"evtmute","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/evtmute\/","title":{"rendered":"EvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging"},"content":{"rendered":"\n

EvtMute<\/strong> is a tool that allows you to offensively use YARA<\/a> to apply a filter to the events being reported by windows event logging.<\/p>\n\n\n\n

Usage<\/strong><\/p>\n\n\n\n

Grap the latest version from here<\/a>. EvtMuteHook.dll<\/strong><\/code> contains the core functionality, once it is injected it will apply a temporary filter which will allow all events to be reported, this filter can be dynamically updated without having to reinject. I’ve written SharpEvtMute.exe<\/strong><\/code> which is a C# assembly that can easily run via execute<\/code> in shad0w or execute-assembly<\/strong><\/code> in cobalt strike. I will be writing a native version in C for much better integration with shad0w.<\/p>\n\n\n\n

Disabling Logging<\/strong><\/p>\n\n\n\n

A trivial use case would be to disable event logging system wide. To do this we can use the following yara rule.<\/p>\n\n\n\n

rule disable { condition: true } <\/strong><\/p>\n\n\n\n

We will need to start by injecting the hook into the event service.<\/p>\n\n\n\n

.\\SharpEvtMute.exe –Inject <\/strong><\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Now that the hook is placed we can add the filter.<\/p>\n\n\n\n

.\\SharpEvtMute.exe --Filter \"rule disable { condition: true }\"\n<\/code><\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Now all events will be dropped by the event service.<\/p>\n\n\n\n
rule block_lsass_dump {
meta:
author = “@batsec<\/em>“
description = “Prevent lsass dumping being reported by sysmon”
strings:
$provider = “Microsoft-Windows-Sysmon”
$image = “lsass.exe” nocase
$access = “GrantedAccess”
$type = “0x1fffff”
condition:
all of them
}<\/strong><\/p>\n\n\n\n
Complex Filters<\/strong><\/p>\n\n\n\n
Filters can be dynamically changed without having to reinject a hook. This makes it quick and easy to update the active filter.<\/p>\n\n\n\n
An example of a more complex filter would be this. It is capable of blocking the events related to a lsass memory dump from being reported by sysmon.<\/p>\n\n\n\n
With a complex rule like this it is much harder to condense it into a single line. This is why I added the ability to give base64 encoded rules.<\/p>\n\n\n\n
The rule can easily be converted to base64 from a linux command line.<\/p>\n\n\n\n
base64 -w 0 YaraFilters\/lsassdump.yar | echo $(<\/dev\/stdin)\n<\/code><\/pre>\n\n\n\n
Then using the --Encoded<\/code> flag we can pass it as a filter<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Opsec Considerations<\/strong><\/p>\n\n\n\n
When injecting the hook SharpEvtMute.exe<\/strong><\/code> will call CreateRemoteThread<\/strong><\/code> and this call is made before the hook is placed so it will be reported by Sysmon. This is because the injection feature of SharpEvtMute.exe<\/strong><\/code> should only be used as a PoC. I recommend manually injecting EvtMuteHook.dll<\/strong><\/code> into the event logging service when stealth is important.<\/p>\n\n\n\n
It’s pid can be found by running SharpEvtMute.exe --Pid<\/strong><\/code>. The hook can be placed by manually injecting the shellcode (run make<\/code> in EvtMuteBin) via your C2 framework of choice, e.g shinject<\/strong><\/code> in shad0w.<\/p>\n\n\n\n
It is also worth mentioning that the hook will use a named pipe to update filters. The named pipe is called EvtMuteHook_Rule_Pipe<\/strong><\/code> (this named can be changed easily). There is a rule hard baked into the hook to ensure that any events including this name will be dropped automatically but it will still be an IOC having it listening, so I recommend changing it.<\/p>\n\n\n\n
Community Filters<\/strong><\/p>\n\n\n\n
If you create some useful filters feel free to make a pull request to the YaraFilters<\/strong><\/code> directory. It would be cool to have a good collection of filters to hide common actions that everyone can benefit from.<\/p>\n\n\n\n
\n
Download<\/strong><\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
EvtMute is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging. Usage Grap the latest version from here. EvtMuteHook.dll contains the core functionality, once it is injected it will apply a temporary filter which will allow all events to be reported, this […]<\/p>\n","protected":false},"author":4,"featured_media":16650,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png","fifu_image_alt":"EvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[1087,1103,3714],"class_list":["post-12060","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-event-logging","tag-evtmute","tag-windows"],"yoast_head":"\nEvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging<\/title>\n<meta name=\"description\" content=\"EvtMute is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/evtmute\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"EvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging\" \/>\n<meta property=\"og:description\" content=\"EvtMute is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/evtmute\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2021-01-11T04:11:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/evtmute\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/evtmute\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"EvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging\",\"datePublished\":\"2021-01-11T04:11:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/evtmute\/\"},\"wordCount\":499,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/evtmute\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png\",\"keywords\":[\"Event Logging\",\"EvtMute\",\"windows\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/evtmute\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/evtmute\/\",\"name\":\"EvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/evtmute\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/evtmute\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png\",\"datePublished\":\"2021-01-11T04:11:25+00:00\",\"description\":\"EvtMute is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/evtmute\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/evtmute\/#primaryimage\",\"url\":\"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png\",\"contentUrl\":\"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"EvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging","description":"EvtMute is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/evtmute\/","og_locale":"en_US","og_type":"article","og_title":"EvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging","og_description":"EvtMute is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging.","og_url":"https:\/\/kalilinuxtutorials.com\/evtmute\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2021-01-11T04:11:25+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/evtmute\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/evtmute\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"EvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging","datePublished":"2021-01-11T04:11:25+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/evtmute\/"},"wordCount":499,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/evtmute\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png","keywords":["Event Logging","EvtMute","windows"],"articleSection":["Kali Linux"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/evtmute\/","url":"https:\/\/kalilinuxtutorials.com\/evtmute\/","name":"EvtMute : Apply A Filter To The Events Being Reported By Windows Event Logging","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/evtmute\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/evtmute\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png","datePublished":"2021-01-11T04:11:25+00:00","description":"EvtMute is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/evtmute\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/evtmute\/#primaryimage","url":"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png","contentUrl":"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/1.bp.blogspot.com\/-fuvSLp8c7Tk\/X_WvC4GgaqI\/AAAAAAAAISA\/iafWa6GPqwo9QpWLmaqW_VdIQBw5tGJzwCLcBGAsYHQ\/s728\/New%2BProject.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":10288,"url":"https:\/\/kalilinuxtutorials.com\/audix\/","url_meta":{"origin":12060,"position":0},"title":"Audix : A PowerShell Tool To Quickly Configure Windows Event","author":"R K","date":"April 18, 2020","format":false,"excerpt":"Audix is a PowerShell tool to quickly configure the Windows Event Audit Policies for security monitoring. Note: This tool will only change the local security policy. If applied to a host with a GPO setting, it is best to use the same settings in a Group Policy default profile so\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":13107,"url":"https:\/\/kalilinuxtutorials.com\/cimplant\/","url_meta":{"origin":12060,"position":1},"title":"CIMplant : C# Port Of WMImplant Which Uses Either CIM Or WMI To Query Remote Systems","author":"R K","date":"May 28, 2021","format":false,"excerpt":"C# port of WMImplant which uses either CIM or WMI to query remote systems. It can use provided credentials or the current user's session. Note: Some commands will use PowerShell in combination with WMI, denoted with ** in the\u00a0--show-commands\u00a0command. Introduction CIMplant is a C# rewrite and expansion on\u00a0@christruncer's\u00a0WMImplant. It allows\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":21332,"url":"https:\/\/kalilinuxtutorials.com\/detectionlabelk\/","url_meta":{"origin":12060,"position":2},"title":"DetectionLabELK : A Fork From DetectionLab With ELK Stack Instead Of Splunk","author":"R K","date":"January 21, 2022","format":false,"excerpt":"DetectionLabELK is the perfect lab to use if you would like to build effective detection capabilities. It has been designed with defenders in mind. Its primary purpose is to allow blueteams to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEgMAEhHGgGRcFh4IgBQqoLlkoYR2nYLkVGemE5uwbNkaOEluptdhM4SUBGLp_taAKcqNNTOkCwmz6rPmZ6S669JBEJ11fd6ZRL_v9XAnrDjkzveEjfbTQrulQXIj4fDVuW3AepGKr2isDWld79I2Wx2lLxiHY1kWBAO4sZUwJ5r6qqGYsw3P9MqypX9=s728","width":350,"height":200,"srcset":"https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEgMAEhHGgGRcFh4IgBQqoLlkoYR2nYLkVGemE5uwbNkaOEluptdhM4SUBGLp_taAKcqNNTOkCwmz6rPmZ6S669JBEJ11fd6ZRL_v9XAnrDjkzveEjfbTQrulQXIj4fDVuW3AepGKr2isDWld79I2Wx2lLxiHY1kWBAO4sZUwJ5r6qqGYsw3P9MqypX9=s728 1x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEgMAEhHGgGRcFh4IgBQqoLlkoYR2nYLkVGemE5uwbNkaOEluptdhM4SUBGLp_taAKcqNNTOkCwmz6rPmZ6S669JBEJ11fd6ZRL_v9XAnrDjkzveEjfbTQrulQXIj4fDVuW3AepGKr2isDWld79I2Wx2lLxiHY1kWBAO4sZUwJ5r6qqGYsw3P9MqypX9=s728 1.5x, https:\/\/blogger.googleusercontent.com\/img\/a\/AVvXsEgMAEhHGgGRcFh4IgBQqoLlkoYR2nYLkVGemE5uwbNkaOEluptdhM4SUBGLp_taAKcqNNTOkCwmz6rPmZ6S669JBEJ11fd6ZRL_v9XAnrDjkzveEjfbTQrulQXIj4fDVuW3AepGKr2isDWld79I2Wx2lLxiHY1kWBAO4sZUwJ5r6qqGYsw3P9MqypX9=s728 2x"},"classes":[]},{"id":37850,"url":"https:\/\/kalilinuxtutorials.com\/log-analysis-fundamentals\/","url_meta":{"origin":12060,"position":3},"title":"Log Analysis Fundamentals","author":"0xSnow","date":"September 11, 2025","format":false,"excerpt":"Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and incident response. Logs provide timestamped records of system events, helping teams trace user actions, detect intrusions, troubleshoot issues, and meet compliance requirements. From application crashes to failed login attempts, every significant event leaves behind a\u2026","rel":"","context":"In "Cyber security"","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"log analysis fundamentals","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/09\/log-analysis-fundamentals.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":24080,"url":"https:\/\/kalilinuxtutorials.com\/wmeye\/","url_meta":{"origin":12060,"position":4},"title":"WMEye : A Post Exploitation Tool That Uses WMI Event Filter And MSBuild Execution For Lateral Movement","author":"R K","date":"April 21, 2022","format":false,"excerpt":"WMEye is an experimental tool that was developed when exploring about Windows WMI. The tool is developed for performing Lateral Movement using WMI and remote MSBuild Execution. It uploads the encoded\/encrypted shellcode into remote targets WMI Class Property, create an event filter that when triggered writes an MSBuild based Payload\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjh1kiSBrLJnr69VfzwpO_XUYfdACO0famqEAqn6yGictD6fGSKodnzOLYc4Sqpyf3W3bhRM2fRgCUssHkjf4D21whLKvCrptywzyFAeJQPb1lDkWczFKm43r8dPJtrT0ZCV1_BKkebURMRdf_Mx3zoGWNBsWI9ZXn5RtvucTDce3rBmS1XdV7JWTN0\/s728\/communityIcon_a802mqqj9t551.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjh1kiSBrLJnr69VfzwpO_XUYfdACO0famqEAqn6yGictD6fGSKodnzOLYc4Sqpyf3W3bhRM2fRgCUssHkjf4D21whLKvCrptywzyFAeJQPb1lDkWczFKm43r8dPJtrT0ZCV1_BKkebURMRdf_Mx3zoGWNBsWI9ZXn5RtvucTDce3rBmS1XdV7JWTN0\/s728\/communityIcon_a802mqqj9t551.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjh1kiSBrLJnr69VfzwpO_XUYfdACO0famqEAqn6yGictD6fGSKodnzOLYc4Sqpyf3W3bhRM2fRgCUssHkjf4D21whLKvCrptywzyFAeJQPb1lDkWczFKm43r8dPJtrT0ZCV1_BKkebURMRdf_Mx3zoGWNBsWI9ZXn5RtvucTDce3rBmS1XdV7JWTN0\/s728\/communityIcon_a802mqqj9t551.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjh1kiSBrLJnr69VfzwpO_XUYfdACO0famqEAqn6yGictD6fGSKodnzOLYc4Sqpyf3W3bhRM2fRgCUssHkjf4D21whLKvCrptywzyFAeJQPb1lDkWczFKm43r8dPJtrT0ZCV1_BKkebURMRdf_Mx3zoGWNBsWI9ZXn5RtvucTDce3rBmS1XdV7JWTN0\/s728\/communityIcon_a802mqqj9t551.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":11782,"url":"https:\/\/kalilinuxtutorials.com\/deepbluecli\/","url_meta":{"origin":12060,"position":5},"title":"DeepBlueCLI : A PowerShell Module For Threat Hunting Via Windows Event Logs","author":"R K","date":"November 10, 2020","format":false,"excerpt":"DeepBlueCLI is a PowerShell Module for Threat Hunting via Windows Event Logs. Usage .\\DeepBlue.ps1 <event log name> <evtx filename> See the Set-ExecutionPolicy Readme if you receive a 'running scripts is disabled on this system' error. Process local Windows security event log (PowerShell must be run as Administrator): .\\DeepBlue.ps1or:.\\DeepBlue.ps1 -log security\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/12060","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=12060"}],"version-history":[{"count":0,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/12060\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/16650"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=12060"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=12060"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=12060"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}