Add to dracula.conf:
rotation:
interval_days: 7
compress: true
delete_after_days: 30
| Artifact | Location | Evasion Technique |
|----------|----------|-------------------|
| Log buffer | %AppData%\Microsoft\Crypto\RSA\*.dat | Encrypted with AES + renamed to system DLL naming |
| Persistence | Registry, Scheduled Tasks | Deletes Task Scheduler logs via wevtutil |
| DLL injection | %Temp%\mscordbi.dll | Unlinks file immediately after injection |
| Network | HTTPS to rotating domains | Certificate pinned to self-signed C2 | Dracula Logger exe
Cause: Overly verbose logging combined with regex-heavy filters.
Fix: Narrow down the monitored processes and files. Use exclude_processes to ignore browser tabs or system idle processes. Add a throttling rule: Add to dracula
throttle:
events_per_second: 1000
Cause: Memory access violation, often due to anti-virus interference or a corrupted config.
Fix: | Artifact | Location | Evasion Technique |
Write a script that triggers when Dracula Logger exe detects a specific event ID. Example:
Get-Content -Wait .\logs\security.log | Select-String "failed logon" | ForEach-Object
Send-MailMessage -To "admin@co.com" -Subject "Brute force detected!"
By monitoring USB device plug-ins, PowerShell command history, and unusual logon hours, Dracula Logger acts as a host-based intrusion detection system (HIDS).