since we have our system account,
one can think about is if you're starting to make changes to a system we're starting Thio do other penetration testing tasks. You definitely have to cover your tracks at some point.
And if you are able to achieve
system would look out
because we can see here
and when I can do is go over to my victim's system. And let's first look to see
what kind of events are in the event log.
So under event viewer
application related logs.
I've got quite a few security logs set up and system,
but most likely there's evidence in here or another logs, for that matter. But this is the main place to look.
There's evidence here of
actions that were taken to compromise the system. So
to hide that information
so very thankfully, within
the mature, prettier shell,
we have some commands for helping us out with this.
So within our core comedians,
we can search a little bit further down
false system commands, networking commands,
and then we finally get to system commands.
And if his works, we should be able to get rid of
not necessarily everything. And I'll show you what I mean by that in a moment.
Cleary V and see if it works.
And look at that. I just got word of 33 records ramifications 125 from system and 39 from security that can verify that that actually worked
by going over to the victim's system and hitting a five to refresh.
And as you can see, those logs are empty.
Sub logs don't get cleared, but inter. Interestingly, though, the security log
contains a log, clear event
and system. Law also contains a long clear of it,
so this in itself is a little bit suspicious.
analyst or the person looking at the system won't notice that one particular event
because it doesn't leave behind that little bit of evidence that you did clear locks.
But in any case, it's a good technique to consider, and you would try something a little bit different for UNIX systems. You have to go into a bar logs folder or the dialogue directory and go look for individual logs to selectively edit those and so on.
Just like with windows, you need an administrator or real level account access north. You have proper permissions.