Log Tampering - Salem73616C656D/reading-notes GitHub Wiki
Key Takeaways
How To Cover Your Tracks
- Disable Auditing
- Clearing Logs
- Modifying Logs
- Erasing Command History
Disable Auditing
In Windows systems, hackers can use the command line favorite, Auditpol, which will not only allow the hacker to disable auditing but will also allow the hacker to see the level of logging that the organization’s system administrator has set. Knowing this will help the hacker see what is logged. This is important because when possible, hackers like to turn off or alter only the logging that captured their activity — making them harder to track.
Clearing Logs
- clearlogs.exe
- meterpreter
- Windows Event Viewer
- Shred Tool (Linux) <shred -vfzu auth.log>
Modifying Logs
Knowing is half the battle, and knowing where the logs are in your target system is crucial for any hacker. Being that you are an ethical hacker working on behalf of your organization, you will already know their location. Inexperienced hackers may not, causing wasted time and an increased chance of detection. In some cases, a text editor may be needed to modify logs; regardless, it as easy as modifying a Word file.
Deleting Commands
The thing with bash is that it retains the history of entered bash commands, so unless you clear it, the administrator will be able to see that the Shred command above was entered. The retained history of bash commands is found in the file ~/.bash_history.
Vocabulary
Conclusion
Log tampering is common practice in hacking because hackers will always want to cover their tracks from the prying eyes of an organization administrator. It’s important for an organization to understand how malicious hackers will operate in practice, so if a hacking breach is detected, log file tampering may be one of their first actions in your systems.
Source: infosecinstitute.com