401d8 read28 - carlosjorr/reading-notes GitHub Wiki

Log Clearing

Explain some specifics of why a hacker might want to clear log files to a family member. Do not use the example from the article.

Log files on a computer system keep a record of various activities, including login attempts, system changes, and network connections. Hackers may want to clear these log files to cover their tracks and avoid detection. When they infiltrate a system, they leave traces in the log files that can be used by administrators and security experts to trace their actions. By deleting or altering log files, hackers can make it difficult for anyone to find evidence of their unauthorized access, making it more challenging for security personnel to identify the breach.

What are three methods by which you can clear logs in a Windows system?

Manual Deletion: A hacker can manually locate and delete log files stored in directories like Event Viewer or system logs. This method requires knowledge of the file paths and permissions to access and modify these files.

Using Command Line Tools: Hackers can use command line tools like 'del' (delete) or 'cipher' (Windows command-line tool for managing encrypted data) to erase log files. They might use specific parameters to target and delete log files while avoiding detection.

Malware and Tools: Advanced hackers might deploy malware or specialized tools that can automate the process of clearing log files. These tools can erase logs without direct manual intervention and could be hidden within the system to continue clearing logs periodically.

What are the four steps in the process of covering your tracks.

Initial Access Concealment: After gaining unauthorized access, hackers would aim to hide their presence by deleting or altering log files that might reveal their initial entry point. They might also manipulate timestamps to create confusion about their activity timeline.

Privilege Escalation and Lateral Movement: If hackers need to escalate their privileges or move laterally within the system, they could alter logs to make it appear as though their actions were performed by legitimate users or processes.

Data Exfiltration Concealment: If hackers are stealing data, they would want to delete or manipulate logs to remove evidence of the stolen data being copied or transmitted outside the system.

Persistence and Cleanup: Hackers might implant backdoors or other persistence mechanisms to ensure ongoing access. Before leaving, they would clear logs again to remove any traces of their activities, making it harder for defenders to identify their methods and intentions.