In this guide, I’ll show you a couple of ways that we can cover our tracks, making it VERY hard for a system administrator, forensic investigator, or law authorization operator to follow our malicious exercises.
Log records are the most well-known procedure for a system administrator to figure out what has occurred on their system. Each unsuccessful login, successful login, and security occasion is signed into the log records. So, the first thing we have to do is to make sure there is no trace of our malicious exercises in those log documents.
Disable auditing is a smart first step for hackers because if logging is turned off, there will be no trail of evidence.
One of the initial steps for an hacker who has command line capacity is to see the auditing status of the target system, find sensitive files, and implant tools like, a keystroke logger or network sniffer.
Windows and Linux records certain occasions to the Event Log (or related Syslog). The log is set to regularly send alerts to the user. Consequently, the hacker will need to know the auditing status of the system he/she is attempting to attack before continuing with his/her plans.
Auditpol.exe is a windows tool to adjust Audit Security settings. Hacker can utilize Auditpol to enable or disable security local on nearby or remote systems.
In Linux, auditd command can be used to disable auditing.
service auditd stop
In Windows :-
Use clearlogs.exe to clear windows logs. First, install clearlogs in target system and then use the following command to clear logs:
Don’t forget to remove clearlogs.exe before leaving the system as the mere presence of the clearlogs file will be obvious proof that somebody has compromised their system.
In Linux :-
We can use shred tool to clear logs. Log files are stored in the /var/log directory. Go to log directory and run the following bash command:
shred -vfzu [file name ex: audit.log]
Erasing the Command History
At last, before we leave the compromised Linux system, we need to verify that our command history is erased. Keep in mind, the bash shell we’re using in will save our last 500 commands. A system administrator could track the entirety of our commands and identify and decipher our activities on the system and conceivably use them as proof.
To remove all commands from history in all sessions, you must remove the contents of .bash_history file. Use the following command:
cat /dev/null > ~/.bash_history
Shred command can also be used to clear this file.
shred -vfzu ~/.bash_history