Cover your Tracks

Once persistence access has been established, it's important to cover your tracks to maintain stealth and avoid detection.

Auditpol

Auditpol.exe is a command-line utility tool designed to modify security auditing settings both at the category and sub-category levels. It enables you to manipulate security auditing by enabling or disabling it on local or remote systems and configuring specific criteria for various security event categories.

In real-world scenarios, attackers with administrative privileges often employ auditpol.exe to disable auditing when they gain control over a system. This action helps them operate covertly during their mission. Subsequently, after accomplishing their objectives, they use the same tool, audit.exe, to re-enable auditing, covering their tracks and maintaining stealth.

Below is a few handy Auditpol commands:

To view all the audit policies: auditpol /get /category:*
To enable logon audit policy: auditpol /set /category:"system","account logon" /success:enable /failure:enable
To clear the audit policies: auditpol /clear /y

Deleting Files

Cipher.exe is an in-built Windows CLI tool that can be used to delete data while overwriting it.

Overwrite files in folder: cipher /w:<drive letter>:\<folder name>

Overwrite entire drive: cipher /w:<drive letter>

Covering BASH Shell tracks

Disabling history

export HISTSIZE=0

Clearing the history

Clear stored history: history -c

Clear history of current shell: history -w

Clearing the user's complete history

cat /dev/null > ~.bash_history && history -c && exit

Shredding the history

Make the history unreadable: shred ~/.bash_history

Shreds the history and evidence of the command: shred ~/.bash_history && cat /dev/null > ~.bash_history && history -c && exit

Clear Windows Machine Log

Here is a .bat script that will clear Windows Logs

@echo off
net session >nul 2>&1
if %errorLevel% eq 0 (
    for /F "tokens=*" %%G in ('wevtutil.exe el') DO (
        wevtutil.exe cl %%G >nul 2>&1
    )
)

Note: Wevtutil is a command-line utility that serves multiple purposes related to event logs and publishers. It allows you to access information about event logs, install and uninstall event manifests, execute queries, as well as export, archive, and clear logs.

Other tools

is a privacy protection and system cleaning software for Windows.
is another privacy-focused software tool that allows users to securely delete files, folders, and free disk space to prevent data recovery. It is available for both Windows and Linux.
is an open-source, cross-platform system cleaner and privacy tool that helps users free up disk space and maintain privacy by cleaning various system and application files. It is available for Windows, Linux, and macOS.

PreviousBackdooring NextIoT in general

Last updated 1 year ago