Skip to main content

covering_tracks

We can delete all logs by doing

clearev

Anyway this can be suspicious, so we can selectively delete logs, for example:

run event_manager -h
run event_manager -i # shows the type of logs we can delete
run event_manager -c "Windows Powershell" # clears all windows powershell logs
run event_manager -l Application # lists the logs related to the "Application" category
run event_manager -l Application -s /tmp/ApplicationLogs.txt # saves the logs to our machine so that we can inspect them more comfortably

Once we have these logs we can open them for example with libreoffice calc or equivalent software and search for our IP (attacker) address, if it is there, then we can proceed with the removal of the entire Application logs.

Notice that at the current version of metasploit we cannot remove single entries in logs, we can just remove categories (or sections).

We may also need to change timestamp of files with the timestamp command or shred a file. Indeed in the case we want to remove a file and be sure nobody could retrieve it we should use sdel.