This short post is about Invoke-Phant0m, which “walks” thread stacks of the Event Log Service process (specifically svchost.exe), identifies them and kills Event Log Service Threads. This will render the system unable to collect system logs, while the Event Log Service appears to be running.
Invoke-Phant0m is an open source Microsoft Windows based event log killer in PowerShell that can help you hide your activities on a server post-exploitation. The only problem I see with this script is that it needs Administrative privileges to execute, but post exploitation this wont be true as you already might have those privileges or gain them and then run this script. A few more PowerShell related projects from the PenTestIT blog can be found here. It’s really encouraging to see PowerShell being used in so many projects and maybe tomorrow it will be added to other frameworks such as Nishang, etc.
You can get Invoke-Phant0m.ps1 from it’s GitHub page here.