Ethical hacking: Log tampering 101
Getting caught is exactly what every hacker does not want. They want to be able to gain entry into a system and then quickly withdraw to the safety of the internet café they are presumably hacking from. Logs are designed to record nearly everything that occurs in a system, including hacking attempts, and can be the determinative factor in catching hackers after their crime has been committed.
Ethical hackers need to understand how hackers tamper with logs, as it is a common practice with hackers. This article will detail the basics of log tampering for ethical hackers, including disabling auditing, clearing logs, modifying logs and erasing command history. The focus will be on Windows and Linux logs, as they are the most used by organizations.
Please note that this article is intended as an introduction to log tampering for ethical hacking purposes only.
A little about logs
In terms of analogies, hacking is sort of like stealing cookies from the cookie jar. Every cookie thief, or hacker, wants to be able to get in there and do what their dirty deeds before getting caught.
Now imagine that this cookie jar is surrounded by fresh snow that covers everything around it. It would be impossible to even get to the cookie jar without leaving tracks — just as it would be impossible to gain entry to a system without being detected. Tampering with logs is the equivalent of covering these obvious tracks that administrators use to catch hackers.
There is a four-step process to covering your tracks by tamping with logs that hackers know like the back of their hand. These steps are:
- Disable auditing
- Clearing logs
- Modifying logs
- Erasing command history
1. Disable auditing
Disable auditing is a smart first step for hackers because if logging is turned off, there will be no trail of evidence.
In Windows systems, hackers can use the command line favorite, Auditpol, which will not only allow the hacker to disable auditing but will also allow the hacker to see the level of logging that the organization’s system administrator has set. Knowing this will help the hacker see what is logged. This is important because when possible, hackers like to turn off or alter only the logging that captured their activity — making them harder to track.
2. Clearing logs
Since logs preserve the evidence trail of hacking activities, clearing logs is the logical next step for ethical hackers to know about.
How to clear logs in Windows
There are a few ways to clear logs in Windows systems. Presented below are the top methods for performing this track-clearing tactic.
One way is to use the clearlogs.exe file, which can be found here. Once access to the target Windows system is obtained, the file needs to be installed and then run to clear the security logs. To run the file, enter the following into a command line prompt:
This will clear security logs on the target system. To verify if it has worked, open Event Viewer and check the security logs. Voila!
Please note — if the hacker does not remove clearlogs.exe, it will serve as hard evidence of log tampering. If this occurs in a Windows 10 system or Windows Server 2016, event ID 1102(S) will be displayed as an event, and overlooking this is a common error many beginner hackers make.
Originally created by Metasploit and Matt “Skape” Miller in 2004, this advanced payload is a type of shell that, without getting too technical, will help to clear all logs in a Windows system in newer versions of Meterpreter. After compromising the system with Metasploit, use a Meterpreter command prompt and enter the following command:
Meterpreter > clearev
This will present the ethical hacker with a window stating that all of the security, application and system logs have been cleared.
Windows Event Viewer
Even if auditing has been disabled, it is still smart to clear logs in Windows Event Viewer because actions like disabling auditing will display as an event. To perform this simple task, first navigate to Event Viewer under Windows Logs in the folder tree. In the left-hand pane, right-click on the type of logs you want to clear and select Clear All Events. Boom! Done.
Linux systems have their own process of log clearing. To perform this, you want to use the Shred tool. To shred and erase the log file on the target system, run the following bash command:
Shred -vfzu auth.log
Just like that, with one command your logged tracks in Linux have been wiped out.
3. Modifying logs
Knowing is half the battle, and knowing where the logs are in your target system is crucial for any hacker.
Being that you are an ethical hacker working on behalf of your organization, you will already know their location. Inexperienced hackers may not, causing wasted time and an increased chance of detection. In some cases, a text editor may be needed to modify logs; regardless, it as easy as modifying a Word file.
4. Deleting commands
The thing with bash is that it retains the history of entered bash commands, so unless you clear it, the administrator will be able to see that the Shred command above was entered. The retained history of bash commands is found in the file ~/.bash_history.
Log tampering is common practice in hacking because hackers will always want to cover their tracks from the prying eyes of an organization administrator. It’s important for an organization to understand how malicious hackers will operate in practice, so if a hacking breach is detected, log file tampering may be one of their first actions in your systems.
Organizations should centrally store their system logs as much as possible to help confound malicious hackers, preferably with a SIEM solution.
- How to Cover Your Tracks & Leave No Trace Behind on the Target System, WonderHowTo
- Covering Your Tracks and Erasing Evidence, CEH: Certified Ethical Hacker
- 1102(S): The audit log was cleared., Microsoft
- How to effectively clear your bash history, TechRepublic
- How To Clear Tracks & Logs On Linux, Hackersploit
We've encountered a new and totally unexpected error.
Get instant boot camp pricing
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.