COVERING TRACKS

Once an attacker finishes his work, he wants to erase all tracks leading the investigators tracing back to him. This can be done using

1. Disable auditing.
2. Clearing logs.
3. Modifying logs, registry files.
4. Removing all files, folders created.

The most obvious reasoning behind this phase as the phase title states ‘Covering Tracks’ is to cover their tracks. The majority of this is done through rootkits which we will be addressing shortly. Once there has been an indicator of compromise on a system or asset, there is going to be a notable amount of logs and residual artifacts that will be used to validate the compromise and assist in the triage process. Covering up these tracks of logs and other artifacts will be key to maintaining access and preventing the identification of a potential advanced persistent threat.



Previous                                                                       Next