Pentesting and Event Logs

Event logs aren’t always reliable at face value, considering the fact that hackers have numerous ways of compromising them. Pentesters can use Metasploit’s meterpreter to run a script called clearev and utterly wipe the logs. On a Windows system, a clearev wipe would expunge Security, Application, and System logs. Furthermore, an application called clearlogs.exe can be used to the same effect. If the attacker has remote admission to a machine, they can upload the program with TFTP and run it with the -sec flag. On Linux systems, the wiping process could be more straightforward. Since logs are stored in the var/log directory, an attacker could escalate privileges, open the file, and delete entries at their discretion. Additionally, attackers can diminish their footprint by erasing their command history. On Linux systems in particular, shells can be opened and set up so their history has a variable size of zero.

That said, there are still ways to detect breaches using event logs. Since network intrusion usually involves the exploitation of more than one machine and surrounding infrastructure, investigators can inspect each node and the overall traffic for suspicious records. Furthermore, even if logs were erased on a Windows machine, the investigator knows that malicious activity was probably carried out using that device. Moreover, centralized log management systems observe transmissions from throughout their networks.

Metasploit’s Meterpreter:

Selection_015.png

clearlogs.exe:

figure12.png

var/log:

Figure2.jpg

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s