Once a system has been exploited, the attacker must cover their tracks to avoid detection, or at least make the reconstruction of the event more difficult for the defender.
An attacker may completely delete the Windows event logs (if they are being actively retained on the compromised server). This can be done via a command shell to the system and using the following command:
C:\ del %WINDIR%\*.log /a/s/q/f
The command directs for all of the logs to be deleted (
/a), including the files from all of the subfolders (
/q option disables all of the queries, asking for a yes or no response, and the
/f option forcibly removes the files, making recovery more difficult.
This can also be done from the
meterpreter prompt by issuing ...