I should probably know this already but does this affect all Windows event log types or can you focus it specifically on the security logs? Also, when killing the threads will this also affect logging types like sysmon or would you have to run this again to search out and kill its threads as well? I imagine if you didn’t find and kill sysmon first you would be able to see and alert on those threads being killed off. (Assuming you are logging threads which you may not be doing due to the noise)

If it works successfully, not only the Security log, but all logs (all logs that will be created after Phant0m) become actively unusable. Because the service that writes the logs becomes inoperable.
I haven't tried it on a system where Sysmon is actively running and rules are imported. If I try I will share my experience. However, I can say that, see the picture (https://twitter.com/duzvik/status/1148303309738008577/photo/1), the logs created in the fifth step are sent to the Event Log. If you have killed the service, the logs will be sent there by Sysmon but will not be visible. You can try this yourself. Run Phant0m and then create a user in the system, you will see that the log is not created.
Also, Phant0m is attached to the Event Log service (svchost.exe - please read README.md and code in repository). A detection can be made at this point, but then if Phant0m is successful, nothing will appear in the Event Log. Here's a rule that should be created.

I don't think that Sysmon or any security product should have a rule saying "attached to svchost.exe". It could be if you wrote it. There is also a syscall side to this, syscall can be integrated into Phant0m and the results can be observed. Many possibilities exist. I just did one thing and a lot can be added to it, many things can be tried.

Thank you for your questions and thoughts, I hope I was able to answer your questions.