Skip to content

Read: Class 28 Log Clearing

Jump to bottom
Sérgio Charruadas edited this page Jun 20, 2023 · 3 revisions

Based on the following articles:

Why a hacker might want to clear log files:

Log files contain detailed records of events on a system that can be used to detect, investigate and attribute intrusions. They provide an auditable chronological record of system activities, including user actions, process executions, policy changes and unauthorized access. This makes log files a major risk for hackers, as they can reveal:

  • Time and duration of the intrusion
  • User accounts and credentials used
  • Commands and actions performed during the intrusion
  • Files and data accessed or exfiltrated
  • Malware installed and network connections established

By clearing log files, hackers can remove evidence of these activities, making it much harder to determine how the system was compromised, what data was taken and who was responsible. This helps the hacker remain covert and avoid detection.

Three technical methods to clear logs in Windows:

  • Using clearlogs.exe - This utility specifically targets Windows event logs. It can be run from a command prompt like: clearlogs.exe -sec to clear the security logs. The utility deletes log entries, but leaves behind evidence of itself which can reveal log tampering occurred.

  • Using Meterpreter clearev - This Metasploit payload has a built-in 'clearev' command that truncates all Windows event logs at once. It does not leave behind evidence of itself like clearlogs.exe.

  • Manually clearing event logs - Security, application and system logs can be manually deleted through the Windows Event Viewer interface. Right-clicking on a log and selecting 'Clear all events' will permanently delete all entries in that log.

The four steps in the log tampering process:

  • Disable auditing - Uses Windows Auditpol command or Linux auditd configuration to turn off logging of system/user events. This prevents new evidence from being recorded.

  • Clear logs - Deletes existing log entries through utilities, manual deletion or log file truncation. On Linux, the 'shred' command can be used to securely overwrite and delete log files.

  • Modify logs - In some cases, hackers may strategically modify sensitive log entries related to their activities instead of deleting them, to maintain the log's integrity and avoid suspicion.

  • Erase command history - Hackers delete the shell command history (stored in .bash_history or Windows Command Prompt history) to remove records of the tampering commands they entered.

Things I want to know more about

  • What indicators and behaviours can be monitored to detect log tampering?
  • What defensive controls can mitigate the risk of log tampering?
  • How can organizations detect these tampering attempts?
Clone this wiki locally