Ethical hacking: Log tampering 101
Getting caught is exactly what every hacker does not want. They want to be able to gain entry into a system and then quickly withdraw to the safety of the internet café they are presumably hacking from. Logs are designed to record nearly everything that occurs in a system, including hacking attempts, and can be the determinative factor in catching hackers after their crime has been committed.
Ethical hackers need to understand how hackers tamper with logs, as it is a common practice with hackers. This article will detail the basics of log tampering for ethical hackers, including disabling auditing, clearing logs, modifying logs and erasing command history. The focus will be on Windows and Linux logs, as they are the most used by organizations.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
Please note that this article is intended as an introduction to log tampering for ethical hacking purposes only.
A little about logs
In terms of analogies, hacking is sort of like stealing cookies from the cookie jar. Every cookie thief, or hacker, wants to be able to get in there and do what their dirty deeds before getting caught.
Now imagine that this cookie jar is surrounded by fresh snow that covers everything around it. It would be impossible to even get to the cookie jar without leaving tracks — just as it would be impossible to gain entry to a system without being detected. Tampering with logs is the equivalent of covering these obvious tracks that administrators use to catch hackers.
The process
There is a four-step process to covering your tracks by tamping with logs that hackers know like the back of their hand. These steps are:
- Disable auditing
- Clearing logs
- Modifying logs
- Erasing command history
1. Disable auditing
Disable auditing is a smart first step for hackers because if logging is turned off, there will be no trail of evidence.
In Windows systems, hackers can use the command line favorite, Auditpol, which will not only allow the hacker to disable auditing but will also allow the hacker to see the level of logging that the organization’s system administrator has set. Knowing this will help the hacker see what is logged. This is important because when possible, hackers like to turn off or alter only the logging that captured their activity — making them harder to track.
2. Clearing logs
Since logs preserve the evidence trail of hacking activities, clearing logs is the logical next step for ethical hackers to know about.
How to clear logs in Windows
There are a few ways to clear logs in Windows systems. Presented below are the top methods for performing this track-clearing tactic.
Clearlogs.exe
One way is to use the clearlogs.exe file, which can be found here. Once access to the target Windows system is obtained, the file needs to be installed and then run to clear the security logs. To run the file, enter the following into a command line prompt:
clearlogs.exe -sec
This will clear security logs on the target system. To verify if it has worked, open Event Viewer and check the security logs. Voila!
Please note — if the hacker does not remove clearlogs.exe, it will serve as hard evidence of log tampering. If this occurs in a Windows 10 system or Windows Server 2016, event ID 1102(S) will be displayed as an event, and overlooking this is a common error many beginner hackers make.
Meterpreter
Originally created by Metasploit and Matt “Skape” Miller in 2004, this advanced payload is a type of shell that, without getting too technical, will help to clear all logs in a Windows system in newer versions of Meterpreter. After compromising the system with Metasploit, use a Meterpreter command prompt and enter the following command:
Meterpreter > clearev
This will present the ethical hacker with a window stating that all of the security, application and system logs have been cleared.
Windows Event Viewer
Even if auditing has been disabled, it is still smart to clear logs in Windows Event Viewer because actions like disabling auditing will display as an event. To perform this simple task, first navigate to Event Viewer under Windows Logs in the folder tree. In the left-hand pane, right-click on the type of logs you want to clear and select Clear All Events. Boom! Done.
Linux systems
Linux systems have their own process of log clearing. To perform this, you want to use the Shred tool. To shred and erase the log file on the target system, run the following bash command:
Shred -vfzu auth.log
Just like that, with one command your logged tracks in Linux have been wiped out.
3. Modifying logs
Knowing is half the battle, and knowing where the logs are in your target system is crucial for any hacker.
Being that you are an ethical hacker working on behalf of your organization, you will already know their location. Inexperienced hackers may not, causing wasted time and an increased chance of detection. In some cases, a text editor may be needed to modify logs; regardless, it as easy as modifying a Word file.
4. Deleting commands
The thing with bash is that it retains the history of entered bash commands, so unless you clear it, the administrator will be able to see that the Shred command above was entered. The retained history of bash commands is found in the file ~/.bash_history.
Conclusion
Log tampering is common practice in hacking because hackers will always want to cover their tracks from the prying eyes of an organization administrator. It’s important for an organization to understand how malicious hackers will operate in practice, so if a hacking breach is detected, log file tampering may be one of their first actions in your systems.
Organizations should centrally store their system logs as much as possible to help confound malicious hackers, preferably with a SIEM solution.
FREE role-guided training plans
Sources
- How to Cover Your Tracks & Leave No Trace Behind on the Target System, WonderHowTo
- Covering Your Tracks and Erasing Evidence, CEH: Certified Ethical Hacker
- 1102(S): The audit log was cleared., Microsoft
- How to effectively clear your bash history, TechRepublic
- How To Clear Tracks & Logs On Linux, Hackersploit
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Ethical hacking: Log tampering 101
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
- Ethical hacking: Attacking routers
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
