The first thing intruders do after gaining administrator privileges is disable auditing. Windows auditing records certain events in a log file that is stored in the Windows Event Viewer. Events can include logging into the system, an application, or an event log. An administrator can choose the level of logging implemented on a system. Hackers want to determine the level of logging implemented to see whether they need to clear events that indicate their presence on the system.
Intruders can easily wipe out the security logs in the Windows Event Viewer. An event log that contains one or just a few events is suspicious because it usually indicates that other events have been cleared. It's still necessary to clear the event log after disabling auditing, because using the Auditpol tool places an entry in the event log indicating that auditing has been disabled. Several tools exist to clear the event log, or a hacker can do so manually in the Windows Event Viewer.
Hacking Tools
The elsave.exe utility is a simple tool for clearing the event log. It's command line based.
WinZapper is a tool that an attacker can use to erase event records selectively from the security log in Windows 2000. WinZapper also ensures that no security events are logged while the program is running.
Evidence Eliminator is a data-cleansing system for Windows PCs. It prevents unwanted data from becoming permanently hidden in the system. It cleans the Recycle Bin, Internet cache, system files, temp folders, and so on. Evidence Eliminator can also be used by a hacker to remove evidence from a system after an attack.
'Hacking' 카테고리의 다른 글
| Checking a System with System File Verification (0) | 2011.09.13 |
|---|---|
| Trojan (0) | 2011.09.13 |
| Steganography Technologies (0) | 2011.09.13 |
| To Catch An APT (0) | 2011.09.10 |
| Metasploit (1) | 2011.09.09 |
