A penetration test consists of a sequence of complex tasks executed against the target. The execution of these tasks impacts the target system in many ways. Several configuration files may get modified, a lot of audit records may get recorded in log files, and there might be changes in the registry in the case of Windows systems. All these changes may help the investigators or blue team members to trace back the attack vector.
After completing a penetration test, it would be good to clear all the residual files that were used during the compromise. However, this needs to be in agreement with the blue team. Another intent behind clearing out all the tracks could be testing the post-incident response methods of an organization. However, the real-world attackers would simply use this to cover their tracks and stay undetected.
Metasploit has certain capabilities that help with clearing tracks. First, we need to exploit a vulnerability and give Meterpreter access to our target:
The following screenshot shows the Application event logs on our target system:
The following screenshot shows the System event logs on our target system:
Now that we have given Meterpreter access to our target system, we'll escalate our privileges to that of the administrator using the getsystem command. The Meterpreter has a utility called clearev, which is used to wipe out audit records on a target system. When we execute clearev, all the audit records on the target get erased:
The following screenshot shows that there are no Application event logs as they got erased by clearev:
The following screenshot shows that there are no System event logs as they got erased by clearev:
Similarly, on a target with a Linux operating system, we can do a few things to clear our tracks and traces. The Linux Terminal maintains a command history and it can be viewed using the history command:
On a Linux system (Debian-based), the parameter that is responsible for controlling the command history is $HISTSIZE. If we are able to set its value to 0, there won't be any history of commands stored:
