Part 4 - Clearing Windows Event Logs
Video Activity
This lesson offers step by step instructions in how to clear windows event logs. This is an important skill to have in penetration testing.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson offers step by step instructions in how to clear windows event logs. This is an important skill to have in penetration testing.
Video Transcription
00:05
>> Since we have our system account,
00:05
one thing to think about is if you're starting to make
00:05
changes to a system or starting
00:05
to do other penetration testing tasks,
00:05
you definitely have to cover your tracks at some point.
00:05
If you are able to achieve a system level account,
00:05
as we can see here, then what I can do is go over to
00:05
my victim system and let's first look to
00:05
see what events are in the event log.
00:05
Under Event Viewer, Windows Logs,
00:05
I can see I've got quite a
00:05
>> few application related logs.
00:05
>> I've got quite a few security logs set up and system.
00:05
But most likely there's evidence in
00:05
here or in other logs for that matter.
00:05
But this is the main place to look.
00:05
There's evidence here of
00:05
actions that were taken to compromise the system,
00:05
so we want be able to hide that information.
00:05
Very thankfully, within the interpreter shell,
00:05
we have some commands for helping us out with this.
00:05
Within our core commands,
00:05
we can search a little bit further down,
00:05
file system commands, networking commands,
00:05
and then we finally get to system commands.
00:05
If this works, we should be able to get rid
00:05
of some of our tracks.
00:05
Not necessarily everything.
00:05
I'll show you what I mean by that in a moment.
00:05
Let's just run clearev and see if it works.
00:05
Look at that, I just got rid of
00:05
33 records applications,
00:05
125 from system,
00:05
and 39 from security.
00:05
I can verify that that actually worked by going
00:05
over to my victim system and hitting F5 to refresh.
00:05
As you can see, those logs are empty.
00:05
Setup logs don't get cleared.
00:05
But interestingly though, the security log contains
00:05
a log clear event
00:05
and system log also contains a log clear event.
00:05
This in itself is a little bit suspicious.
00:05
Hopefully, the analyst or
00:05
the person looking at this system won't notice
00:05
that one particular event because it
00:05
does leave behind that little bit of
00:05
evidence that you did clear the logs.
00:05
But in any case, it's a good technique to consider.
00:05
You would try something a little bit
00:05
different for Unix systems.
00:05
You would have to go into var logs folder or
00:05
the var log directory and go look for
00:05
individual logs to selectively edit those and so on.
00:05
Just like with Windows, you need
00:05
an administrator or root level
00:05
account access in order to have proper permissions.
Up Next
Similar Content
