Attackers often cover their tracks after gaining access to a Windows system to evade detection and forensic analysis. This involves manipulating auditing settings, clearing logs, hiding artifacts, and erasing activity history to remove traces of malicious activity. Below are key techniques used to hide footprints.
A. Clear Activity history
Windows stores user actions, including recent files, searches, and clipboard history, which attackers erase using built-in settings or PowerShell commands to remove traces of their activity.
- Go to Settings and click on Privacy.
- Click on Activity history on the left panel.
- Click on the Clear button to clear activity history.
B. Manipulating auditing using auditpol after gaining admin access
Attackers use auditpol to disable security logging, preventing records of their actions from being stored. Before leaving, they re-enable auditing to avoid suspicion.
- Once an attacker gains administrator privileges, they disable auditing for specific subcategories to stop security-related events from being logged.
auditpol /set /subcategory:”Logon” /success:disable /failure:disable
Success Events Disabled: Prevents successful logon attempts from being logged.
Failure Events Disabled: Prevents failed logon attempts from being logged.
- Verify Current Audit Policy that auditing for “Logon” events is disabled:
auditpol /get /subcategory:”Logon”
The output will indicate “No Auditing” for success and failure events under the “Logon” subcategory.
- With auditing disabled, attackers proceed with their malicious activities, such as:
- Accessing sensitive files or systems.
- Creating new user accounts for persistence.
- Extracting sensitive information (e.g., passwords, database dumps).
- Installing or executing malware.
Since auditing for “Logon” events is disabled, these actions related to login attempts remain unrecorded in the security logs, reducing the chances of immediate detection.
- Before leaving the compromised system, attackers restore auditing to its original settings to avoid raising suspicion during incident analysis.
auditpol /set /subcategory:”Logon” /success:enable /failure:enable
Success Events Enabled: Ensures successful login attempts are logged.
Failure Events Enabled: Ensures failed login attempts are logged.
- To confirm that auditing has been restored:
auditpol /get /subcategory:”Logon”
The output will now show “Success and Failure” auditing for the “Logon” subcategory.
C. ipconfig /flushdns to Cover Tracks
Attackers run ipconfig /flushdns to clear the DNS resolver cache, erasing evidence of recently accessed websites or command-and-control (C2) servers from system memory.
Command to execute: ipconfig /flushdns
Attackers leverage this command during the covering tracks phase to minimize evidence of their activity on the compromised system:
- Remove DNS Resolution History: Any domain names the attacker accessed (e.g., for Command and Control (C2) servers, phishing sites, or malware download locations) are cleared from the DNS cache.
- By clearing the DNS cache, attackers reduce the chances of cached DNS records being captured during incident response.It ensures that logs reflecting DNS queries made during their activity are not readily available on the local system.
Where to look, then?
- DNS requests made by the system may still be logged on the organization’s DNS server or external DNS services (e.g., Google DNS, Cloudflare).
- Network monitoring devices often log DNS queries and traffic, even if the local DNS cache is cleared.
D. Clearing logs in Windows
Attackers use wevtutil cl <log_name> or Meterpreter’s clearev to delete security, system, and application logs, wiping evidence of their presence from Windows Event Viewer.
The Windows Event Utility (wevtutil) can manually clear logs.
- Run cmd as admininstrator and write the command to list all log categories
wevtutil el
- Clear All Logs in One Command
for /F “tokens=*” %G in (‘wevtutil el’) do wevtutil cl “%G”
This loops through all log categories and clears them.
C. Hiding Artifacts Using NTFS Alternative Data Streams (ADS)
NTFS Alternate Data Streams (ADS) is a feature in Windows that allows hidden data storage inside another file without altering its size or visible properties. Attackers use this technique to hide malicious files, evade detection, and cover their tracks by storing artifacts such as payloads, logs, or evidence inside a legitimate-looking file.
- Open cmd as administrator and create a file.
echo This is a hidden file > C:/SecretFile.txt
This command creates SecretFile.txt in C: with the text “This is a hidden file.”
- Hide the file using ntfs ads.
type C:\SecretFile.txt > C:\LegitFile.txt:SecretFile.txt
This hides SecretFile.txt inside LegitFile.txt
- Verify that the file is hidden
dir /r C:\
- Retrieve the hidden file
more < C:\LegitFile.txt:SecretFile.txt
- Once we have confirmed that the SecretFile.txt is inside LegitFile.txt, we can delete the original SecretFile.txt file.
del C:\SecretFile.txt
- If one performs a normal directory listing, we do not see an alternative data stream.
dir C:\
We can use steganography to hide malicious payloads inside images, videos, and audio files as well. You can visit the below URL to learn how to perform steganography.
Conclusion
Clearing tracks is a critical step for attackers to remain undetected, but security teams can monitor log tampering, unexpected DNS flushes, and audit policy changes to detect such activities. Implementing SIEM solutions and endpoint monitoring helps prevent attackers from erasing their footprints.
