Tweet
The best way to prevent yourself from being discovered is to leave no tracks at all. And the best way to accomplish this is to prevent any tracks from being created or at least minimize the amount of evidence. When you are trying not to leave tracks, a good starting point is altering the way events are logged on the targeted system.
Disabling auditing on the target system prevents certain events from apperaing and therefore slows the detection efforts. Remember that auditing is designed to allow for the detection and tracking of selected events on a system. Once auditing is disabled, you have effectively deprived the defender of a great source of information and forced them to seek other methods of detection.
In the Windows environment, you can disable auditing with the auditpol command. This can also be done remotely using a NULL session if needed.
Disabling auditing on the target system prevents certain events from apperaing and therefore slows the detection efforts. Remember that auditing is designed to allow for the detection and tracking of selected events on a system. Once auditing is disabled, you have effectively deprived the defender of a great source of information and forced them to seek other methods of detection.
In the Windows environment, you can disable auditing with the auditpol command. This can also be done remotely using a NULL session if needed.