• 26,769
  • +1,026
  • 3,010
How to Clear Windows Event Log Management Using Metasploit Meterpreter irb Shell

How to Clear Windows Event Log Management Using Metasploit Meterpreter irb Shell

Bookmark

Type : Tips and Trick

Level : All Levels

Testing Operating System : Windows XP SP0 (Using ms08_067_netapi exploit)

After you successfully compromised a system usually you will do a lot of work there. But did you know that every activities you do inside compromised computer it’s actually recorded by the system?

Sometimes it’s best to not have your activities been logged. Whatever the reason, you may find a circumstance where you need to clear away the windows event logs. Because there’s also a lot of forensic tools to help finding out what happen in compromised computer and also tracking anything if you have log in your victim computer.

Here in this tips and trick, I will explain simple tutorial about how to clear Windows event log to minimize you’ve been tracked by forensic investigators.

When victim run eventvwr, there’s should be window like this below with some alert and information.

How to clear windows event log using metasploit meterpreter irb shell

The error information maybe we can’t understand but with help of computer forensic tools it should be more easier.

In this case we need to clear the event log by using ruby interpreter in Meterpreter to clear the logs on the fly.

Now, let’s exploit the system and manually clear away the logs.

How to clear windows event log using metasploit meterpreter irb shell

Then the next step “clear the log” by using log.clear.

How to clear windows event log using metasploit meterpreter irb shell

Success…we cleared the windows system event logs. But there’s another main things here that the event logs is not only “System” itself, but still have security, Application, DNS, etc, and we need to clear all of that logs to minimize being tracked by forensic investigators.

To do that, let’s adopted winenum.rb scripts located in /pentest/exploits/framework3/scripts/meterpreter/winenum.rb and find clrevtlgs() function. That function used to clear all windows event logs.

I’ve created new scripts adopted from winenum.rb (just copy and modify the clrevtlgs function)and renamed to clearthelog.rb containing this :

How to clear windows event log using metasploit meterpreter irb shell

After re-writing the script, we put it in /pentest/exploits/framework3/scripts/meterpreter. Then, let’s re-exploit the system and see if it works.

How to clear windows event log using metasploit meterpreter irb shell

And here’s screenshot of windows event viewer on victim computer.

How to clear windows event log using metasploit meterpreter irb shell

Success!

Hope you enjoyed ๐Ÿ™‚

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Pingback: Metasploit Meterpreter Client Core Commands You Should Know | Vishnu Valentino Hacking Tutorial, Tips and Trick()

  • Hi
    please give me the script file  modified 
     
     

  • amit

    run clearthelog script not clear log in windows 7?please post again with some deep how to modify log file?

  • Me

    Just execute the following command within a windows shell for /F “tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl “%1”

  • Ahmed Saied

    why are you making all these steps, first you must open shell and make another steps why all this ๐Ÿ™‚
    keep searching you will find a simple command.

    • Ahmed Saied

      in simple words try clearev in meterpreter
      which will clear all logs.