Clearing Windows Event Logs(msfconsole)

Identify the target IP address

Gaining Access

The target system has a vulnerable version of BadBlue running on port 80 that can be exploited through the use of a Metasploit module.

In order to use this exploit module, we will need to start up the Metasploit Framework Console (msfconsole), this can be done by running the following command:

msfconsole

After starting msfconsole, we can load the module by running the following command:

use exploit/windows/http/badblue_passthru

We will now need to configure the module options, more specifically, we will need to set the target IP address. This can be done by running the following command:

set RHOSTS 10.2.27.188

After configuring the module options, we can execute the exploit module by running the following command:

exploit

As shown in the following screenshot, the exploit module runs successfully and provides us with a meterpreter session on the target system.

Now that we have gained access to the Windows target system, we can explore the process of clearing our tracks on the Windows target system.

Clearing Windows Event logs

Whenever you successfully gain access to a Windows target, all of your activity is being logged in the form of Windows events, while it is not recommended to delete or clear the Windows Event log. meterpreter provides you with the ability to clear the entire Windows Event log. This can be done by running the following command:

clearev

As shown in the following screenshot, meterpreter clears the Windows Event log.

Conclusion

After running your clearev command , all data in the event viewer has been wiped, if you are using your own local lab you can access to your windows machine and check the event viewer.