hackfaq-13.html
748325d98aa304b4985449e741a5a8b5c56ad9d7add980fc05143542f5adb7d8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.6">
<TITLE>The Hack FAQ: NT Logging and Backdoors</TITLE>
<LINK HREF="hackfaq-14.html" REL=next>
<LINK HREF="hackfaq-12.html" REL=previous>
<LINK HREF="hackfaq.html#toc13" REL=contents>
</HEAD>
<BODY BGCOLOR="black" TEXT="white" LINK="gray" VLINK="gray" HLINK="red">
<A HREF="hackfaq-14.html">Next</A>
<A HREF="hackfaq-12.html">Previous</A>
<A HREF="hackfaq.html#toc13">Contents</A>
<HR>
<H2><A NAME="s13">13. NT Logging and Backdoors</A></H2>
<P>This section contains info regarding logging and backdoors for NT.
<P>
<H2><A NAME="ss13.1">13.1 Where are the common log files in NT?</A>
</H2>
<P>These are located in %root%\SYSTEM32\CONFIG. They are:
<P>
<UL>
<LI> AppEvent.Evt - Records events involving the running of certain applications.</LI>
<LI> SecEvent.Evt - Records security events.</LI>
<LI> SysEvent.Evt - Records basic events.</LI>
</UL>
<P>As a hacker do not worry about the AppEvent.Evt file much -- you are mainly
concerned with items in the regular event log (the SysEvent.Evt file) and the
security log (the SecEvent.Evt). By default regular users should be able to
read the regular event log, and you may wish to look that over if you can to
see if your "visit" left a trace. If it did and the entries look out of place,
consider adding entries from other users that are similiar by accessing the
system as these other users.
<P>You have to have Administrative Group rights to view the security event log.
And you'll certainly want to check that to see what is in it.
<P>
<H2><A NAME="ss13.2">13.2 How do I edit/change NT log files without being detected?</A>
</H2>
<P>Well this can be a little tricky as these files are locked in place during NT's
operation. You have a couple of choices at this time -- wipe the logs or try
to add stuff to them to add camoflage obfuscation. Not elegant, but better
than nothing.
<P>
<H2><A NAME="ss13.3">13.3 So how can I view/clear/edit the Security Log?</A>
</H2>
<P>You have to be in as an Administrator or as someone in the Administrator's group.
<P>Start the Event Viewer, and from the Log menu select Security. You view individual items by double clicking on them. To clear them (which is an all or nothing proposition) select Clear All Events from Log. If asked to save the info, answer no.
<P>There is currently no way to edit the contents of the Security Event Log, although it is not impossible. One could conceivably boot up the system with Linx on a floppy, copy the logs off for editing in a hex editor, and copy doctored logs back up. I've considered writing the software to do this, although I probably never will.
<P>
<H2><A NAME="ss13.4">13.4 How can I turn off auditing in NT?</A>
</H2>
<P>This requires Administrator access. From the User Manager go to the Policies menu and select Audit. Turn off the things you wish to turn off.
<P>As far as individual files and directories, you have to right-click on the file or directory from within Explorer, go to Properties and go to the security tab. Click on the auditing button for details, and turn off what you need turned off.
<P>If you need to do this from a command line, check out the question "I hack from my Linux box. How can I do all that GUI stuff on remote NT servers?" in the NT Client Attacks section.
<P>
<P>
<HR>
<A HREF="hackfaq-14.html">Next</A>
<A HREF="hackfaq-12.html">Previous</A>
<A HREF="hackfaq.html#toc13">Contents</A>
</BODY>
</HTML>