Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on Windows Security logs and how to enumerate and refuse them. This lesson focuses on a tool called webutil, which is a Windows-event utility, which enables you to retrieve information about event logs as well as clear logs. Windows logs can track just about anything on a system.

Video Transcription

00:04
Hello, viewers. Welcome to this latest video on post exploitation, hacking, persistence and continued access. This video is going to be discussing the third and final step
00:15
of post exploitation hacking, which is covering tracks clearing data out clearing any record of your presence.
00:24
Ah, this is going to be
00:26
this particular video is going to be discussing Windows security logs and how to enumerating them and remove them.
00:34
This is discussing sort of the hammer technique or the sledgehammer technique of hiding your presence, which is to essentially just set fire to the security logs.
00:43
Um,
00:45
any vigilant system administrator will notice that all of their security larger gone, and that'll be a warning that someone was there.
00:52
But, you know, doesn't tell him you were there. So depending on your situation and how much time you have and how will you are to let them know some sort of event took place?
01:00
It's still a pretty valid option,
01:03
not to mention windows, especially when the seven has made
01:07
deleting specific log entries extremely difficult.
01:11
So sometimes deleting everything is the safer course.
01:14
So we're gonna go ahead and you were gonna learn about a tool in this called W E B T u till
01:19
Windows event utility.
01:22
So we see here it enables you to retrieve information about event logs and stalling on it's all above above a rock.
01:30
So
01:30
first thing we're gonna do, we're just gonna pretty much run through all of this. All of these options 1st 1 is a new blocks. So
01:38
let's try Yell.
01:41
Wow, look at that. Isn't that a bunch of logs?
01:45
Well, too,
01:47
lots of Microsoft Windows stuff.
01:52
Here's one that might be useful
01:56
myself. Windows shell,
01:57
maybe something we want to examine.
02:00
Sticky note. Get lots of junk
02:05
Terminal service's. That's definitely when we want to get rid off. Well, not all of them, but certainly
02:10
we want to consider getting rid of these already. P
02:14
that's a log of things that were, you know, where people who already peed in.
02:20
So
02:21
let's check this again
02:29
so we can get long configuration information. Okay, let's see what that does.
02:36
Okay, well,
02:38
it needs a specific log.
02:39
Well, we've already found one that we're kind of looking at and considering getting rid of. So let's check
02:45
this right here.
02:50
All right, So this log is the ah, the rdp Operational log.
02:55
We see
02:57
publisher is Microsoft Windows.
03:00
He's got some access information. It's gotta log file name. Okay,
03:05
so if we just want to torch that log, we can try going into this location,
03:09
see if it will let us in.
03:12
You would appear. Well,
03:14
probably get over this last part.
03:19
All right, so you see lots of things
03:21
again. We see remote connection manager event logs.
03:24
I'm not actually going to delete these particular logs simply because
03:30
I wanna have around for later demos and later information.
03:35
But if you wanted to destroy logs, this is the place you could go. You could do Del Star,
03:43
that star,
03:44
which pretty much torch everything.
03:46
Uh,
03:47
or you can do it a little bit more effectively, which is what we're gonna do in a minute. Like I said, I'll show you.
03:53
So we've got get log, we set log. We can actually modify a lot of configuration.
04:00
We could check publishers we can install blah Boba.
04:03
Now, here's a good one. This is what we want.
04:08
I want to be able to clear log
04:09
also exporting like wouldn't be bad if you wanted to Ah,
04:12
do some serious information gathering exporting a bunch of logs is a great way to go. But
04:17
it's sort of time consuming and boring.
04:19
We are going to clear a log,
04:23
so
04:25
go ahead.
04:26
So even you till C l.
04:30
That's not the one we want it all, is it?
04:32
So we go back up here to this
04:38
super interesting stuff.
04:40
There it is.
04:43
So this is the law. We're gonna go ahead and clear
04:46
we're gonna do a C l instead of a geo
04:49
and bam. It's cleared
04:54
total. See anything interesting here Now? No noticeable changes have been made.
04:59
However, when someone goes through with their actual log viewer with an event you were this will now show them absolutely nothing
05:04
Cool. That's nifty.
05:08
What would happen if we did this on, say, another log that we may have noticed a moment ago?
05:15
Security
05:17
first. We'll do it. Get log so we can see what's in it.
05:23
All right.
05:24
There's no owning publisher. It's an administrative log. It is enabled
05:30
all of this information, Max sighs.
05:32
One thing that's worth doing. If you really wanna mess with an admin, Ted is setting this to disabled
05:38
while you're doing your stuff and then sending it to enabled when you leave?
05:43
Um, it won't work perfectly. It will record that it was disabled, but it won't record what you did. Which is a big part of you know how you can kind of get away with doing things that you probably shouldn't be doing.
05:55
But in our case, we're just kind of doing the basics instead of anything to high level in specific, we're going to go ahead and
06:02
torch it.
06:04
Yeah.
06:08
So now we have actually gotten rid of that, and we've just emptied it
06:11
essentially.
06:13
And now we're fair now. We're feeling pretty safe, you know? They can't actually see us. The logs were gone. They know someone was here. Someone did something, but they don't know it was us. And they don't know what we did.
06:26
Windows, event logs, contract anything
06:29
you can set up a log extract pretty much anything you could imagine.
06:31
So it's useful to Ah, really go through that list. The
06:36
w E B T u Till.
06:40
Yeah,
06:41
and actually go through this and just manually check.
06:45
We're not manually, necessarily. We go through this and check for anything that might be what you're after.
06:48
Any event log that might have information.
06:50
Um, again, I mentioned the shell logs
06:55
always worth considering getting rid of him.
07:00
And the reason for this is really pretty straightforward. You never know what's actually being stored in them. So we see there are actually some other security
07:06
logs
07:09
you probably want to clear out.
07:12
When in doubt with log. If you've already started clearing logs out,
07:15
just clear a ball.
07:18
This power show law was worth getting rid of
07:23
just all of them.
07:25
That's really all there is for this video. It was a pretty quick, pretty, straightforward pretty simple.
07:30
Ah,
07:32
all you really need to know about logs is if you don't have a special tool which can actually break in and change them
07:39
better no log me present than along that tells them what you did
07:44
with that. We're gonna go ahead and end of the video.
07:46
I hope you learned a lot of hope. You, you know,
07:49
experience some new things to do with logs and to do with clearing.
07:54
And until next time, I'm just me, Joseph Perry. And you've been watching this on cyberia dot i t

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor