How to Clear Windows Event Log Management Using Metasploit Meterpreter irb Shell
Type : Tips and Trick
Level : All Levels
Testing Operating System : Windows XP SP0 (Using ms08_067_netapi exploit)
After you successfully compromised a system usually you will do a lot of work there. But did you know that every activities you do inside compromised computer it’s actually recorded by the system?
Sometimes it’s best to not have your activities been logged. Whatever the reason, you may find a circumstance where you need to clear away the windows event logs. Because there’s also a lot of forensic tools to help finding out what happen in compromised computer and also tracking anything if you have log in your victim computer.
Here in this tips and trick, I will explain simple tutorial about how to clear Windows event log to minimize you’ve been tracked by forensic investigators.
When victim run eventvwr, there’s should be window like this below with some alert and information.
The error information maybe we can’t understand but with help of computer forensic tools it should be more easier.
In this case we need to clear the event log by using ruby interpreter in Meterpreter to clear the logs on the fly.
Now, let’s exploit the system and manually clear away the logs.
Then the next step “clear the log” by using log.clear.
Success…we cleared the windows system event logs. But there’s another main things here that the event logs is not only “System” itself, but still have security, Application, DNS, etc, and we need to clear all of that logs to minimize being tracked by forensic investigators.
To do that, let’s adopted winenum.rb scripts located in /pentest/exploits/framework3/scripts/meterpreter/winenum.rb and find clrevtlgs() function. That function used to clear all windows event logs.
I’ve created new scripts adopted from winenum.rb (just copy and modify the clrevtlgs function)and renamed to clearthelog.rb containing this :
After re-writing the script, we put it in /pentest/exploits/framework3/scripts/meterpreter. Then, let’s re-exploit the system and see if it works.
And here’s screenshot of windows event viewer on victim computer.
Success!
Hope you enjoyed 
Incoming search terms:
- meterpreter clear event logs
- clear logs meterpreter
- clear event log metasploit
- meterpreter event log
- metasploit clean logs
- irb delete log on windows
- how to clear logs meterpreter
- hacking windows event logs
- hacking clearing event logs windows xp
- hack windows event viewer
Written by Vishnu Valentino.
Founder of hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com
See all posts by v4L || Visit Website : http://www.vishnuvalentino.com
Popular Posts
2 Responsesto “How to Clear Windows Event Log Management Using Metasploit Meterpreter irb Shell”
Trackbacks/Pingbacks
- Metasploit Meterpreter Client Core Commands You Should Know | Vishnu Valentino Hacking Tutorial, Tips and Trick - [...] the following example we are running the scripts/meterpreter/clearthelog.rb script from my previous tutorial, which clear all event viewer logs ...
Leave a Reply
Links
Get Updates via Networkedblogs
Hi
please give me the script file modified
run clearthelog script not clear log in windows 7?please post again with some deep how to modify log file?