Covering Tracks we’ve got how an attacker hides malicious files on a target computer using various stenographic techniques, NTF5 streams, among others, to keep up future access to the target. Now that the attacker has succeeded in performing this malicious operation, following step are to get rid of any resultant traces/tracks within the system, Covering tracks is one in all the most stage during system hacking. during this stage, the attacker tries to cover and avoid being detected, or “traced out,” by covering all “tracks,” or logs, generated while gaining access to the target network or computer. let’s see how attacker removes traces of an attack within the target computer.
Erasing evidence may be a requirement for any attacker who would love to stay obscure. this can be one method to evade a trace back. This starts with erasing the contaminated logs and possible error messages generated within the attack process. Then, attackers make changes within the system configuration in order that it does riot log future activities, By manipulating and tweaking the event logs, attackers trick the supervisor in believing that there’s no malicious activity within the system, which no intrusion or compromise has actually taken place.
Because the primary thing a supervisor does in monitoring unusual activity is to see the system log files, it’s common for intruders to use a utility to change these logs. in some cases, root kits can disable and discard all existing rogs. Attackers remove only those portions of logs that may reveal their presence if they shall use the system for a extended period as a launch base for the longer term exploitation.
It is imperative for attackers to form the system appear because it did before access was gained and a backdoor established. this enables them to vary any file attributes back to their original state. Information listed, like file size and date, is simply attribute information contained within the file.
Protecting against attackers trying to hide their tracks by changing file information are often difficult. However, it’s possible to detect whether an attacker has done so by calculating the filters cryptographic hash, this sort of hash could be a calculation of the whole file before encryption.
Attackers might not wish to delete a whole log to hide their tracks, as doing so may require admin privileges. If attackers are ready to delete only attack event logs, they’ll still be able to escape detection.
The attacker can manipulate the log files with the assistance of :
– SECEVENT.EVT (security): failed logins, accessing files without privileges
– SYSEVENT.EVT (system): Driver failure, things not operating correctly
– APPEVENT.EVT (applications)
Techniques used for covering Tracks
The main activities that an attacker performs toward removing his/her traces on the pc are:
– Disable auditing: An attacker disables auditing features of the target system
– Clearing logs: An attacker clears/deletes the system log entries like his/her activities
– Manipulating logs: An attacker manipulates logs in such some way that he/she won’t be caught in legal actions
Thus, the whole job of an attacker involves not only compromising the system successfully, but also disabling logging, clearing Log files, eliminating evidence, planting additional tools, and covering his/her tracks.
One of the first steps for an attacker who has command-line capability is to see the auditing status of the target system, locate sensitive files (such as password files), and implant automatic information gathering tools (such as a keystroke logger or network sniffer).
Windows records certain events to the Event Log (or associated syslog). The log are often set to send alerts (email, pager, then on) to the computer user. Therefore, the attacker will want to know the auditing status of the system he/she is trying to compromise before proceeding with his/her plans.
Auditpol.exe is the instruction utility tool to alter Audit Security settings at the category and sub-category levels. Attackers can use Auditpol to enable or disable security auditing on local or remote systems and to regulate the audit criteria for various categories of security events.
The attacker would establish a null session to the target machine and run the command:
This will reveal this audit status of the system. He or she can prefer to disable the auditing by:
This will make changes within the various logs which may register the attacker’s actions. He/she can favor to hide the registry keys changed afterward.
The moment that intruders gain administrative privileges, they disable auditing with the assistance of auditpol.exe. Once they complete their mission, they again activate auditing by using identical tool (audit.exe).
auditpol /get /catagory:*
Attackers can use AuditPol to view defined auditing settings on the target computer, running the subsequent command at the command prompt.