4. Clear Logs to hide the Evidence of Compromise
To remain undetected, the intruders need to erase all evidence of security compromise from the system.
Last updated
To remain undetected, the intruders need to erase all evidence of security compromise from the system.
Last updated
The system log file contains events that are logged by the OS components. These events are often predetermined by the OS itself. System log files may contain information about device changes, device drivers, system changes, events, operations, and other changes.
There are various Windows utilities that can be used to clear system logs such as Clear_Event_Viewer_Logs.bat, wevtutil, and Cipher. Here, we will use these utilities to clear the Windows machine logs.
Right-click Clear_Event_Viewer_Logs.bat and click Run as administrator.
A Command Prompt window appears, and the utility starts clearing the event logs, as shown in the screenshot. The command prompt will automatically close when finished.
Clear_Event_Viewer_Logs.bat is a utility that can be used to wipe out the logs of the target system. This utility can be run through command prompt or PowerShell, and it uses a BAT file to delete security, system, and application logs on the target system. You can use this utility to wipe out logs as one method of covering your tracks on the target system.
el | enum-logs lists event log names. Run wevtutil cl [log_name] command (here, we are clearing system logs) to clear a specific event log. cl | clear-log: clears a log, log_name is the name of the log to clear, and ex: is the system, application, and security.
Similarly, you can also clear application and security logs by issuing the same command with different log names (application, security).
In Command Prompt, run cipher /w:[Drive or Folder or File Location] command to overwrite deleted files in a specific drive, folder, or file. The Cipher.exe utility starts overwriting the deleted files, first, with all zeroes (0x00); second, with all 255s (0xFF); and finally, with random numbers, as shown in the screenshot.
Cipher.exe is an in-built Windows command-line tool that can be used to securely delete a chunk of data by overwriting it to prevent its possible recovery. This command also assists in encrypting and decrypting data in NTFS partitions.
When an attacker creates a malicious text file and encrypts it, at the time of the encryption process, a backup file is created. Therefore, in cases where the encryption process is interrupted, the backup file can be used to recover the data. After the completion of the encryption process, the backup file is deleted, but this deleted file can be recovered using data recovery software and can further be used by security personnel for investigation. To avoid data recovery and to cover their tracks, attackers use the Cipher.exe tool to overwrite the deleted files.
The BASH or Bourne Again Shell is a sh-compatible shell that stores command history in a file called bash history. You can view the saved command history using the more ~/.bash_history command. This feature of BASH is a problem for hackers, as investigators could use the bash_history file to track the origin of an attack and learn the exact commands used by the intruder to compromise the system.
Open a Terminal window and run export HISTSIZE=0 command to disable the BASH shell from saving the history. In the Terminal window, run history -c command to clear the stored history.
This command is an effective alternative to the disabling history command; with history -c, you have the convenience of rewriting or reviewing the earlier used commands.
Similarly, you can also use the history -w command to delete the history of the current shell, leaving the command history of other shells unaffected. Run shred ~/.bash_history command to shred the history file, making its content unreadable.
This command first shreds the history file, then deletes it, and finally clears the evidence of using this command. After this command, you will exit from the terminal window.
Auditpol.exe is the command-line utility tool to change the Audit Security settings at the category and sub-category levels. You can use Auditpol to enable or disable security auditing on local or remote systems and to adjust the audit criteria for different categories of security events. In real-time, the moment intruders gain administrative privileges, they disable auditing with the help of auditpol.exe. Once they complete their mission, they turn auditing back on by using the same tool (audit.exe).
See all audit policies
To set an auditing policy
To clear all audit policies
Bat Script
Download the script and run as administrator.
wevtutil el
list event logs
To clear a single log
To clear all logs
Cipher (Overwrite deleted files)
Disable history keeping
To clear bash history
clear history of existing shell only
shred the history without clearing
to view history file
First shred history file and then clear it.
create a dir
Hide a folder in windows
To unhide a folder in windows
Hide user accounts in windows
Create a file with . to hide a file. Ti view the hidden files
