4. Clear Logs to hide the Evidence of Compromise
To remain undetected, the intruders need to erase all evidence of security compromise from the system.
Clear Windows Machine Logs using Various Utilities
The system log file contains events that are logged by the OS components. These events are often predetermined by the OS itself. System log files may contain information about device changes, device drivers, system changes, events, operations, and other changes.
There are various Windows utilities that can be used to clear system logs such as Clear_Event_Viewer_Logs.bat, wevtutil, and Cipher. Here, we will use these utilities to clear the Windows machine logs.
Right-click Clear_Event_Viewer_Logs.bat and click Run as administrator.
A Command Prompt window appears, and the utility starts clearing the event logs, as shown in the screenshot. The command prompt will automatically close when finished.
Clear_Event_Viewer_Logs.bat is a utility that can be used to wipe out the logs of the target system. This utility can be run through command prompt or PowerShell, and it uses a BAT file to delete security, system, and application logs on the target system. You can use this utility to wipe out logs as one method of covering your tracks on the target system.
wevtutil
el | enum-logs lists event log names. Run wevtutil cl [log_name] command (here, we are clearing system logs) to clear a specific event log. cl | clear-log: clears a log, log_name is the name of the log to clear, and ex: is the system, application, and security.
Similarly, you can also clear application and security logs by issuing the same command with different log names (application, security).
Cipher.exe
In Command Prompt, run cipher /w:[Drive or Folder or File Location] command to overwrite deleted files in a specific drive, folder, or file. The Cipher.exe utility starts overwriting the deleted files, first, with all zeroes (0x00); second, with all 255s (0xFF); and finally, with random numbers, as shown in the screenshot.
Cipher.exe is an in-built Windows command-line tool that can be used to securely delete a chunk of data by overwriting it to prevent its possible recovery. This command also assists in encrypting and decrypting data in NTFS partitions.
When an attacker creates a malicious text file and encrypts it, at the time of the encryption process, a backup file is created. Therefore, in cases where the encryption process is interrupted, the backup file can be used to recover the data. After the completion of the encryption process, the backup file is deleted, but this deleted file can be recovered using data recovery software and can further be used by security personnel for investigation. To avoid data recovery and to cover their tracks, attackers use the Cipher.exe tool to overwrite the deleted files.
2. Clear Linux Machine Logs using the BASH Shell
The BASH or Bourne Again Shell is a sh-compatible shell that stores command history in a file called bash history. You can view the saved command history using the more ~/.bash_history command. This feature of BASH is a problem for hackers, as investigators could use the bash_history file to track the origin of an attack and learn the exact commands used by the intruder to compromise the system.
Open a Terminal window and run export HISTSIZE=0 command to disable the BASH shell from saving the history. In the Terminal window, run history -c command to clear the stored history.
This command is an effective alternative to the disabling history command; with history -c, you have the convenience of rewriting or reviewing the earlier used commands.
Similarly, you can also use the history -w command to delete the history of the current shell, leaving the command history of other shells unaffected. Run shred ~/.bash_history command to shred the history file, making its content unreadable.
shred ~/.bash_history && cat /dev/null > .bash_history && history -c && exitThis command first shreds the history file, then deletes it, and finally clears the evidence of using this command. After this command, you will exit from the terminal window.
3. View, Edit and clear Audit Policies using Auditpol
Auditpol.exe is the command-line utility tool to change the Audit Security settings at the category and sub-category levels. You can use Auditpol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events. In real-time, the moment intruders gain administrative privileges, they disable auditing with the help of auditpol.exe. Once they complete their mission, they turn auditing back on by using the same tool (audit.exe).
See all audit policies
auditpol /get /category:*
To set an auditing policy
auditpol /set /category:"system","account logon" /success:enable /failure:enable
To clear all audit policies
auditpol /clear /y4. Clear windows logs using different utilities
Bat Script
Download the script and run as administrator.
wevtutil el
list event logs
wevtutil el
To clear a single log
wevtutil cl system \\system is the log nameTo clear all logs
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"Cipher (Overwrite deleted files)
cipher /w:c:
5. Clear Linux logs using bash shell
Disable history keeping
export HISTSIZE=0To clear bash history
history -cclear history of existing shell only
history -wshred the history without clearing
shred ~/.bash_historyto view history file
more ~/.bash_historyFirst shred history file and then clear it.
shred ~/.bash_history && cat /dev/null>.bash_history && history -c && exit
6. Hiding Artifacts in Windows and Linux
Windows
create a dir
mkdir testHide a folder in windows
attrib +h +r +s test
To unhide a folder in windows
attrib -s -h -r test
Hide user accounts in windows
net user test /add
net user test /active:yes
net user test /active:no \\hides the accountLinux
Create a file with . to hide a file. Ti view the hidden files
ls -la
7. Clear window logs using CCleaner
Last updated
Was this helpful?