Internal Infrastructure Pentest - Disable Security Policies and Services
less than 1 minute read
- Disable security policies and services to avoid detection by Blue team
- Auditpol /set /Category:System /failure:disable
- Services.msc:
- As an attacker disable these services to clear your trace
- Blue team checks these logs to find stuff
- Windows Event Collector: This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI-enabled event sources. The service stores forwarded events in a local Event Log. If this service is stopped or disabled event subscriptions cannot be created and forwarded events cannot be accepted.
- C:\WINDOWS\system32>sc stop Wecsvc
- Windows Event Log: This service manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata. It can display events in both XML and plain text format. Stopping this service may compromise security and reliability of the system.
- C:\WINDOWS\system32>sc stop EventLog