Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

This lesson offers step by step instructions in how to clear windows event logs. This is an important skill to have in penetration testing.

Video Transcription

00:04
Okay, So
00:06
since we have our system account,
00:08
um,
00:10
one can think about is if you're starting to make changes to a system we're starting Thio do other penetration testing tasks. You definitely have to cover your tracks at some point.
00:21
And if you are able to achieve
00:24
system would look out
00:27
because we can see here
00:31
and when I can do is go over to my victim's system. And let's first look to see
00:38
what kind of events are in the event log.
00:45
So under event viewer
00:48
windows logs,
00:51
I can see I've got
00:53
curfew
00:55
application related logs.
00:58
I've got quite a few security logs set up and system,
01:04
but most likely there's evidence in here or another logs, for that matter. But this is the main place to look.
01:11
There's evidence here of
01:14
actions that were taken to compromise the system. So
01:18
why are you able to
01:19
to hide that information
01:23
so very thankfully, within
01:25
the mature, prettier shell,
01:33
we have some commands for helping us out with this.
01:44
So within our core comedians,
01:49
we can search a little bit further down
01:52
false system commands, networking commands,
01:55
and then we finally get to system commands.
01:57
And if his works, we should be able to get rid of
02:01
some of our tracks,
02:04
not necessarily everything. And I'll show you what I mean by that in a moment.
02:08
So let's just run
02:10
Cleary V and see if it works.
02:14
And look at that. I just got word of 33 records ramifications 125 from system and 39 from security that can verify that that actually worked
02:23
by going over to the victim's system and hitting a five to refresh.
02:28
And as you can see, those logs are empty.
02:30
Sub logs don't get cleared, but inter. Interestingly, though, the security log
02:37
contains a log, clear event
02:39
and system. Law also contains a long clear of it,
02:44
so this in itself is a little bit suspicious.
02:46
Um, hopefully
02:49
the uh
02:50
analyst or the person looking at the system won't notice that one particular event
02:55
because it doesn't leave behind that little bit of evidence that you did clear locks.
03:00
But in any case, it's a good technique to consider, and you would try something a little bit different for UNIX systems. You have to go into a bar logs folder or the dialogue directory and go look for individual logs to selectively edit those and so on.
03:16
Just like with windows, you need an administrator or real level account access north. You have proper permissions.

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor