Covering Tracks

Covering Tracks we’ve got how an attacker hides malicious files on a target computer using various stenographic techniques, NTFS streams, among others, to keep up future access to the target. Now that the attacker has succeeded in performing this malicious operation, following step are to get rid of any resultant traces/tracks within the system, Covering tracks is one in all the most stage during system hacking. during this stage, the attacker tries to cover and avoid being detected, or “traced out,” by covering all “tracks,” or logs, generated while gaining access to the target network or computer. let’s see how the attacker removes traces of an attack within the target computer.

Erasing evidence may be a requirement for an attacker who would love to stay obscure. this can be one method to evade a traceback. This starts with erasing the contaminated logs and possible error messages generated within the attack process. Then, attackers make changes within the system configuration in order that it does riot log future activities, By manipulating and tweaking the event logs, attackers trick the supervisor in believing that there’s no malicious activity within the system, which no intrusion or compromise has actually taken place.

Because the primary thing a supervisor does in monitoring unusual activity is to see the system log files, it’s common for intruders to use a utility to change these logs. in some cases, rootkits can disable and discard all existing rugs. Attackers remove only those portions of logs that may reveal their presence if they shall use the system for an extended period as a launch base for the longer term exploitation.

It is imperative for attackers to form the system appear because it did before access was gained and a backdoor established. this enables them to vary any file attributes back to their original state. Information listed, like file size and date, simply attributes information contained within the file.

Protecting against attackers trying to hide their tracks by changing file information is often difficult. However, it’s possible to detect whether an attacker has done so by calculating the filters cryptographic hash, this sort of hash could be a calculation of the whole file before encryption.

Attackers might not wish to delete a whole log to hide their tracks, as doing so may require admin privileges. If attackers are ready to delete only attack event logs, they’ll still be able to escape detection.

The attacker can manipulate the log files with the assistance of :

SECEVENT.EVT (security): failed logins, accessing files without privileges
SYSEVENT.EVT (system): Driver failure, things not operating correctly
APPEVENT.EVT (applications)

Also Read this Blog Covering Track on Networks

Techniques used for covering Tracks

The main activities that an attacker performs toward removing his/her traces on the pc are:

Disable auditing: An attacker disables auditing features of the target system
Clearing logs: An attacker clears/deletes the system log entries like his/her activities
Manipulating logs: An attacker manipulates logs in such some way that he/she won’t be caught in legal actions

Thus, the whole job of an attacker involves not only compromising the system successfully, but also disabling logging, clearing Log files, eliminating evidence, planting additional tools, and covering his/her tracks.

Related Product Certified Ethical Hacker | CEH Certification

Auditpol Source:

One of the first steps for an attacker who has command-line capability is to see the auditing status of the target system, locate sensitive files (such as password files), and implant automatic information-gathering tools (such as a keystroke logger or network sniffer).

Windows records certain events to the Event Log (or associated Syslog). The log is often set to send alerts (email, pager, then on) to the computer user. Therefore, the attacker will want to know the auditing status of the system he/she is trying to compromise before proceeding with his/her plans.

Auditpol.exe is the instruction utility tool to alter Audit Security settings at the category and sub-category levels. Attackers can use Auditpol to enable or disable security auditing on local or remote systems and to regulate the audit criteria for various categories of security events.

The attacker would establish a null session to the target machine and run the command:

C:>auditpol \
This will reveal this audit status of the system. He or she can prefer to disable the auditing by:
C:>auditpol \/disable
This will make changes within the various logs which may register the attacker’s actions. He/she can favour to hide the registry keys changed afterwards.
The moment that intruders gain administrative privileges, they disable auditing with the assistance of auditpol.exe. Once they complete their mission, they again activate auditing by using identical tool (audit.exe).
auditpol /get /catagory:*
Attackers can use AuditPol to view defined auditing settings on the target computer, running the subsequent command at the command prompt.

In this content hacker try to cover there track he used NTF stream to cover track or hide the file to may used compromise system again then he has to remove all the file and logs from the compromised computer.
In CEHv10 Infosavvy gives Training and Certification. In which there is 5th phase of Hacking is Covering Tracks. Learn Training in Mumbai Location.

People also ask Questions

  1. How can I tell who is accessing my server files?
  2. Does windows keep a log of copied files?
  3. How do I view file audit logs?
  4. What information access logs should contain?

Learn CEH & Think like hacker

This Blog Article Posted By

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com


Leave a Comment