Phases: Covering your tracks

• Steganography

• Event Logs Alteration

By-
Harshal
Sankalp
Chetan
Yashasvi
Pankaj
Covering your tracks:
 An attacker needs to destroy evidence of his presence and activities
else he can get caught.

 This usually starts with erasing the contaminated logins and any possible
error message that may have been generated from the attack process.

 It is imperative for attacker to make the system look like it did before
they gained access and established backdoors for their use.
 Trojans such as netcat comes in handy for any attacker who wants
to destroy the evidence from the log files or replace the system
binaries with the same.

 Rootkits are automated tools designed to hide the presence of the

attacker. By executing the script, a variety of critical files are
replaced with trojanned versions, hiding the attacker with ease.

 In some extreme cases, rootkits can disable logging altogether and

discard all existing logs.
Steganography:
 Steganography is the hiding of a secret message within an ordinary
message(audio, image, etc.) and the extraction of it at its destination.

 An attacker can use the system as a cover to launch fresh attacks against other
system or use it as a means of reaching another system on the network without
being detected.

 Steganography takes cryptography a step farther by hiding an encrypted

message so that no one suspects it exists.

 In modern digital steganography, data is first encrypted by the usual means and
then inserted, using a special algorithm, into redundant data that is a part of a
particular file format such a JPEG image.
Event Logs Alteration:
 A log file is a file that records either events that occur in an
operating system or other software runs or messages between
different users of a communication software. Logging is the act of
keeping a log. In the simplest case, messages are written to a single
log file.

 Alteration of such log file is known as event log alteration.

Application log: -

 The application log contains event that are logged by programs.]]

 Event that are written to the application log are determined by the

developers of the software program.

Security log: -

 The security log contains events such as valid and invalid logon attempts. It

also contain events that are related to resource use, e.g. when you create,

open, or delete files.

 You must be logged on as an administrator or as a member of the

administrative group to turn on, to use, and to specify which events are

recorded in the security log.

System log: -

 The system log contains events that are logged by windows system

components. These events are predetermined by windows.

Directory Service log: -

 The Directory Service log contain Active Directory-related events. This log is

available only on domain controllers.

DNS Server log: -

 The DNS Server log contain events that are related to the resolution of DNS

names to or from Internet Protocol (IP) addresses.

 This log is available only on DNS servers.

File Replication Service log: -

 The File Replication Service log contains events that are logged during
the replication process between domain controllers.

 This log is available only on domain controllers.

 By default, Event Viewer log file use the .evt extension and are located
in the ‘%SystemRoot%\System32\Config’ folder.

 Log file name and location information is stored in the registry. You can
edit this information to change the default location of log files.
ANY QUERIES?