CIP Cyber

Remove Event Log – Cover Track After Hacking Metasploit

Table of Contents

There are so many ways to hack into a computer but after comprising the computer an attacker (hacker) needs to cover their track because each and every activity that a hacker do (or a normal user do) is recorded by the system. So whenever a hacker hack into a web server or a computer than after doing the work an attacker usually cover the track so that no one is able to catch them. How to cover your track after hacking or how a hacker cover their track is an important topic of discussion and need more tutorial because every operating system has its own way to maintain the logs.
Log files contain the information of every activity that has been done on a computer so it is very important to remove this log file. There are different way to remove log files on windows, Linux and MAC but in this tutorial I will show you how to remove event log management by using Metasploit post exploitation tutorial for windows.

Requirement

  • Metasploit (Backtrack 5 r1 using for tutorial, you can use some other too)
  • A compromised host (it is very easy to hack into windows by using metasploit, as discussed before if you don’t know how than let us know I will share the link of the previous tutorial)
  • A brain
Now let suppose you have hacked a windows operating system and you have a meterpreter session than you can do multiple things via meterpreter session like you can cover your track by removing the log file. The picture below shows that how a windows maintain logs that an attacker need to remove.

On our meterpreter session we need to call a post exploitation script that is available and has been given with metasploit (you can create some more script too). Lets call irb

meterpreter > irb
[*] Starting IRB shell
[*] The ‘client’ variable holds the meterpreter client
>> client.sys.config.sysinfo()
=> {“Computer”=>”VIRTUAL-7C33D2A”, “OS”=>”Windows XP (Build 2600, Service Pack 2).”, “Architecture”=>”x86”, “System Language”=>”en_US”}

Than we need to clear the log it requires an easy command.

>> log.clear
=> #<#:0xb6779424 @client=#>,
/trendmicro_serverprotect_earthagent”=>#, “windows/browser/ie_iscomponentinstalled”=>#, “windows/exec/reverse_ord_tcp”=>#, “windows/http/apache_chunked”=>#, “windows/imap/novell_netmail_append”=>#

Thats it.

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
CIP Cyber Staff

CIP Cyber Staff

CIP Cyber Staff comprises CIP cybersecurity experts committed to delivering comprehensive information on critical infrastructure protection. The content covers diverse topics, equipping professionals to defend organizations and communities in an ever-evolving cyber landscape.

Most popular

Industrial Cybersecurity

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Related Articles

What Proxies Are For

When you cannot access certain sites or hide your identity, you need a tool for that. For example, the USA proxies are in demand among

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings