5.5 Covering Tracks
Covering Tracks
- Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection.
- Attacker uses following techniques to cover tracks on the target system:
- Disable auditing
- Clearing logs
- Manipulating logs
Disabling Auditing: Auditpol
- Intruders will disable auditing immediately after gaining administrator privileges.
- At the end of their stay, the intruders will just turn on auditing again using auditpol.exe.
Clearing Logs
- Attacker uses clearlogs.exe utility to clear the security, system, and application logs.
- If the system is exploited with Metasploit, attacker uses meterpreter shell to wipe out all the logs from a Windows system.
Manually Clearing Event Logs
- Windows:
- Navigate to Start > Control Panel > System and Security > Administrative Tools > double click Event Viewer.
- Delete the all the log entries logged while compromising of the system.
- Linux:
- Navigates to /var/log directory on the Linux system.
- Open plain text file containing log messages with text editor /var/log/messages
- Delete the all the log entries logged while compromising of the system.
Ways to Clear Online Tracks
- Remove Most Recently Used (MRU), delete cookies, clear cache, turn off AutoComplete, clear Toolbar data from the browsers.
- Privacy Settings in Windows 8.1:
- Click on the Start button, choose Control Panel > Appearance and Personalization > Taskbar and Start Menu.
- Click the Start Menu tab, and then, under Privacy, clear the Store and display recently opened items in the Start menu and the taskbar check box.
- From the Registry in Windows 8.1:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
and then remove the key for "Recent Docs"
- Delete all the values except "(Default)"
- CCleaner:
- CCleaner is system optimization and cleaning tool.
- It cleans traces of temporary files, log files, registry files, memory dumps, and also your online activities such as your Internet history.
- MRU-Blaster:
- MRU-Blaster is an application for Windows that allows you to clean the most recently used lists stored on your computer.
- It allows you to clean out your temporary Internet files and cookies.