Remove Event Log – Cover Track After Hacking Metasploit

There are so many ways to hack into a computer but after comprising the computer an attacker (hacker) needs to cover their track because each and every activity that a hacker do (or a normal user do) is recorded by the system. So whenever a hacker hack into a web server or a computer than after doing the work an attacker usually cover the track so that no one is able to catch them. How to cover your track after hacking or how a hacker cover their track is an important topic of discussion and need more tutorial because every operating system has its own way to maintain the logs.
Log files contain the information of every activity that has been done on a computer so it is very important to remove this log file. There are different way to remove log files on windows, Linux and MAC but in this tutorial I will show you how to remove event log management by using Metasploit post exploitation tutorial for windows.


  • Metasploit (Backtrack 5 r1 using for tutorial, you can use some other too)
  • A compromised host (it is very easy to hack into windows by using metasploit, as discussed before if you don’t know how than let us know I will share the link of the previous tutorial)
  • A brain
Now let suppose you have hacked a windows operating system and you have a meterpreter session than you can do multiple things via meterpreter session like you can cover your track by removing the log file. The picture below shows that how a windows maintain logs that an attacker need to remove.

On our meterpreter session we need to call a post exploitation script that is available and has been given with metasploit (you can create some more script too). Lets call irb

meterpreter > irb
[*] Starting IRB shell
[*] The ‘client’ variable holds the meterpreter client
>> client.sys.config.sysinfo()
=> {“Computer”=>”VIRTUAL-7C33D2A”, “OS”=>”Windows XP (Build 2600, Service Pack 2).”, “Architecture”=>”x86”, “System Language”=>”en_US”}

Than we need to clear the log it requires an easy command.

>> log.clear
=> #<#:0xb6779424 @client=#>,
/trendmicro_serverprotect_earthagent”=>#, “windows/browser/ie_iscomponentinstalled”=>#, “windows/exec/reverse_ord_tcp”=>#, “windows/http/apache_chunked”=>#, “windows/imap/novell_netmail_append”=>#

Thats it.

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.
Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

How to Exploit Heartbleed using Metasploit in Kali Linux

Heartbleed vulnerability (registered as CVE-2014-0160) is a security bug present in the older version of OpenSSL cryptographic library. OpenSSL is a cryptographic toolkit used...

How to Install Parrot Security OS on VirtualBox in 2020

Parrot Security OS is a free GNU/LINUX distribution, released on 10th April 2013. It is a mixture of Kali Linux and Frozenbox OS, aims to...

How to Install Kali Linux on VirtualBox [Windows Host] in 2020

Kali Linux is a Debian based Linux distribution, released on the 13th March 2013 as a complete rebuild of BackTrack Linux. It is one of...

Acunetix v13 Release Introduces Groundbreaking Innovations

The newest release of the Acunetix Web Vulnerability Scanner further improves performance and premieres best-of-breed technologies London, United Kingdom – February 5, 2019 – Acunetix,...