5.5 Covering Tracks

Covering Tracks

  • Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection.
  • Attacker uses following techniques to cover tracks on the target system:
    • Disable auditing
    • Clearing logs
    • Manipulating logs

Disabling Auditing: Auditpol

  • Intruders will disable auditing immediately after gaining administrator privileges.
  • At the end of their stay, the intruders will just turn on auditing again using auditpol.exe.

Clearing Logs

  • Attacker uses clearlogs.exe utility to clear the security, system, and application logs.
  • If the system is exploited with Metasploit, attacker uses meterpreter shell to wipe out all the logs from a Windows system.

Manually Clearing Event Logs

  • Windows:
    • Navigate to Start > Control Panel > System and Security > Administrative Tools > double click Event Viewer.
    • Delete the all the log entries logged while compromising of the system.
  • Linux:
    • Navigates to /var/log directory on the Linux system.
    • Open plain text file containing log messages with text editor /var/log/messages
    • Delete the all the log entries logged while compromising of the system.

Ways to Clear Online Tracks

  • Remove Most Recently Used (MRU), delete cookies, clear cache, turn off AutoComplete, clear Toolbar data from the browsers.
  • Privacy Settings in Windows 8.1:
    • Click on the Start button, choose Control Panel > Appearance and Personalization > Taskbar and Start Menu.
    • Click the Start Menu tab, and then, under Privacy, clear the Store and display recently opened items in the Start menu and the taskbar check box.
  • From the Registry in Windows 8.1:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer and then remove the key for "Recent Docs"
    • Delete all the values except "(Default)"

Covering Tracks Tools

  • CCleaner:
    • CCleaner is system optimization and cleaning tool.
    • It cleans traces of temporary files, log files, registry files, memory dumps, and also your online activities such as your Internet history.
  • MRU-Blaster:
    • MRU-Blaster is an application for Windows that allows you to clean the most recently used lists stored on your computer.
    • It allows you to clean out your temporary Internet files and cookies.

results matching ""

    No results matching ""