Protection and forgery of Windows logs

Protection and forgery of Windows logs
Original: netone (cexo)

Protection and forgery of Windows logs
Logs play an obvious role in system security. Both network administrators and hackers pay great attention to logs. An experienced administrator can quickly learn about the security performance of the system through logs, A smart hacker can quickly clear the unfavorable logs after successful intrusion. Next we will discuss the log security and creation issues.
I. Overview: Windows system log files include application logs, security logs, system logs, DNS server logs, and so on. default location of application logs, security logs, system logs, and DNS logs: % SystemRoot %/system32/config. The default file size is kb.
Security log file: % SystemRoot %/system32/config/secevent. EVT
System log file: % SystemRoot %/system32/config/sysevent. EVT
Application Log File: % SystemRoot %/system32/config/appevent. EVT
These log files are in the registry:
HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/EventLog
Some administrators may relocate these logs. There are many sub-tables under Eventlog, which can find the Location Directory of the above logs.

 

2. As a network administrator:
1. Log Security Configuration:
By default, the log size is KB. If it exceeds the maximum size, an error is reported and no logs are recorded. Therefore, the primary task is to change the default size. The specific method is as follows: each log corresponding to HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/EventLog in the Registry has a maxsize subkey, such as system, security, and application, modify it.
The following is a script from the Microsoft site, which uses VMI to set the maximum log size to 25 MB, and allows the log to overwrite the logs 14 days ago:
This script uses WMI objects. WMI (Windows Management Instrumentation) technology is a Windows system management tool provided by Microsoft. This tool allows you to locally or manage almost everything in the client system. Many professional network management tools are developed based on WMI. This tool is a standard tool in Win2000 and WinNT, and an extended Installation option in Win9x. Therefore, the following code can be successfully run at 2000 or above.

Strcomputer = "."
Set ob1_miservice = GetObject ("winmgmts :"_
& "{Impersonationlevel = impersonate, (Security )}! //"&_
Strcomputer & "/root/cimv2") 'to obtain the VMI object
Set collogfiles = obw.miservice. execquery _
("Select * From win32_nteventlogfile ")
For each objlogfile in collogfiles
Strlogfilename = objlogfile. Name
Set wmiswbemobject = GetObject _
("Winmgmts: {impersonationlevel = impersonate }! //./Root/cimv2 :"_
& "Win32_nteventlogfile.name = '" & strlogfilename &"'")
Wmiswbemobject. maxfilesize = 2500000000
Wmiswbemobject. overwriteoutdated = 14
Wmiswbemobject. Put _
Next
You can use the above script with the vbs Suffix in the notepad.
In addition, it should be noted that strcomputer = ". "In Windows scripts, the meaning is equivalent to localhost. to execute code on a remote host, you only need to put ". "changed to the host name. Of course, you must first have the administrator privilege of the host and establish an IPC connection. the strcomputer that appears in the code in this article can be modified as follows.
2. Log query and backup:
Other, his common methods:
Dumpel-f filename-S // server-l log
-F filename: location and file name of the output log
-S // The server outputs remote computer logs
-L log options include system, security, application, and DNS.
To transfer system logs on the target server to backupsystem. Log, use the following format:
Dumpel // server-L system-F backupsystem. Log
You can use scheduled tasks to regularly back up system logs.
In addition, the script-programmed VMI object can easily implement log backup:
The following code backs up application logs:
Backuplog. vbs
Strcomputer = "."
Set ob1_miservice = GetObject ("winmgmts :"_
& "{Impersonationlevel = impersonate, (Backup )}! //"&_
Strcomputer & "/root/cimv2") 'to obtain the VMI object
Set collogfiles = obw.miservice. execquery _
("Select * From win32_nteventlogfile where logfilename = 'application'") 'get the application logs in the log object
For each objlogfile in collogfiles
Errbackuplog = objlogfile. backupeventlog ("F:/application. EVT") 'back up the log to F:/application. EVT
If errbackuplog <> 0 then
Wscript. Echo "The Application Event Log cocould not be backed up ."
Else wscript. Echo "Success backup log"
End if
Next
Program Description: If the backup is successful, the window will prompt: "Success backup log" otherwise, the prompt will be: "The Application Event Log cocould not be backed up ", the backup log here is the application backup location F:/application. EVT, which can be modified by yourself. The backup format here is the original EVT format. If you open it in notepad, It is garbled. This is not as convenient as dumpel.

Iii. As a hacker
1. Days to clear
The first thing a hacker can do after a successful system intrusion is to clear logs. It is not difficult to delete logs if the hacker remotely controls the other machine on the GUI or logs in from the terminal, although logs are also run as a service, but unlike services such as HTTP and FTP, logs can be stopped and deleted in the command line, using net stop EventLog in M command line cannot be stopped, so some people think it is very difficult to delete logs in command line. In fact, this is not the case. The following describes several methods:
1. using third-party tools: for example, the elsave.exe remote clearing of system, applicaton, and security software is easy to use. First, use the obtained Administrator Account to establish an IPC session with the other party. net use // ip pass/User: user
Then run elsave-S // ip-l Application-C on the command line to delete the security log.
In fact, this software can also be used to back up logs. You only need to add a parameter-f filename, which will not be detailed here.
2. Using the VMI in Script Programming, you can also delete logs. First, you can obtain the object and then use its cleareventlog () method to delete logs. Source code:
Cleanevent. vbs
Strcomputer = "."
Set ob1_miservice = GetObject ("winmgmts :"_
& "{Impersonationlevel = impersonate, (Backup )}! //"&_
Strcomputer & "/root/cimv2 ")
Dim mylogs (3)
Mylogs (1) = "application"
Mylogs (2) = "system"
Mylogs (3) = "security"
For each logs in mylogs
Set collogfiles = obw.miservice. execquery _
("Select * From win32_nteventlogfile where logfilename = '" & logs &"'")
For each objlogfile in collogfiles
Objlogfile. cleareventlog ()
Next
Next
In the code above, create an array, which is application, security, and system. If there are other logs, you can add the array.
Then, use a for loop to delete each element in the array, that is, each log.
2. Create log:
After deleting the log, any thoughtful administrator will immediately respond to the empty log and be intruded. So how can a smart hacker learn?
Counterfeit logs:
1. Using the EventLog method in Script Programming makes it very easy to create logs. Let's take a look at the code below.
Createlog. vbs
Set Ws = wscript. Createobject ("wscript. Shell ")
WS. logevent 0, "Write log success" 'create a successful execution log
This code is easy to read. first obtain a shell object of wscript, and then use the logevent method of the shell object.
Logevent usage: logevent eventtype, "Description" [, remote system]
Eventtype is the log type. The following values can be used: 0 indicates successful execution, 1 indicates execution error, 2 warning, 4, information, 8 indicates successful audit, 16 indicates failure audit.
So in the code above, you can change 0 to 1, 2, 4, 8, or 16. The log description is enclosed in quotation marks.
The log written in this method has one disadvantage: it can only be written to application logs, and the log source can only be wsh, that is, Windows Scripting host. Therefore, it cannot be concealed too much.
Microsoft provides a new command line tool, eventcreate.exe, for system administrators and programmers. It is easier to create logs by using it.
Eventcreate-S server-l LOGNAME-u username-P password-So source-T eventtype-ID-D description
Meaning:-s creates logs for the remote host:-u remote host user name-P remote host User Password
-L log; System and Application can be created, and security logs cannot be created,
-So log source, which can be any log-T log type such as information Information, error, warning,
-D log description, which can be any statement-the ID of the independent log is within 1-
For example, we want to create a local system log. The log source is admin, the log type is warning, the description is "this is a test", and the event ID is 500.
The following parameters can be used:
Eventcreate-L system-So administrator-T warning-d "this is a test"-ID 500
This tool cannot create security logs. I hope you can find a good way to create security logs!