Windows Post Exploitation - Covering Your Tracks
My last link dump contained materials covering Windows Privilege Escalation. A logical next step would be to hide the evidence that you were on the system in an effort to slow Blue Team detection (if scope allows).
CMD
- CMD - https://www.penflip.com/pwnwiki/pwnwiki/blob/master/covering-tracks-windows.txt
- Enable Disable Event Logs - https://www.windows-commandline.com/enable-disable-event-log-service/
- PowerShell Remove-EventLog - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/remove-eventlog?view=powershell-5.1
- PowerShell Clear-EventLog - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/clear-eventlog?view=powershell-5.1
- cipher.exe - http://techgenix.com/Using-cipherexe/
Tutorials
- Null-Byte Cover Your Tracks & Leave No Trace - https://null-byte.wonderhowto.com/how-to/hack-like-pro-cover-your-tracks-leave-no-trace-behind-target-system-0148123/
- InfoSec Institute Pentesting Covering Tracks - http://resources.infosecinstitute.com/penetration-testing-covering-tracks/
- InfoSec Institute Ant-Forensics Pt1 - http://resources.infosecinstitute.com/anti-forensics-part-1/
- Hacker's Guide for Anti-Forensics - https://www.hackingloops.com/how-to-remove-traces-make-your-computer-untraceable/
- Two Data Hiding Techniques - http://windowsitpro.com/windows/two-data-hiding-techniques
- NTFS Streams - http://www.powertheshell.com/ntfsstreams/
Tools
- clearlogs.exe - http://ntsecurity.nu/toolbox/clearlogs/
- winzapper - http://ntsecurity.nu/toolbox/winzapper/
- snow.exe - http://www.darkside.com.au/snow/
- MP3stego - http://www.petitcolas.net/steganography/mp3stego/
- Steganography Tools - https://en.wikipedia.org/wiki/Steganography_tools
- OpenPuff - https://en.wikipedia.org/wiki/OpenPuff
Why not just use flashdrive with tails?
Tails is great, but this is in reference to post exploitation on a windows device. Being anonymous and covering your tracks are related, but still very different. Just because you are attacking from tails does not mean that you will not leave indications of compromise.
Can you explain this more?
Certainly!
Notice the part that says "slows blue team detection."
Imagine that you have been hired as a penetration tester by some big company. This company not only wants to know if their systems can be compromised, but if their systems CAN be compromised, they also want to test the effectiveness of their incident response team. In your pentest, your goal is to get to their internal file server, but you have only managed to gain access to a rogue mail server set up by a lazy employee. You plan to use the mailserver to pivot into the file server, but you want to make sure that their IR team doesnt notice you using the system. Once you gain access to the file server, maybe you dont want them knowing that you you were attacking from the mail server. Ideally, you cover your tracks after every compromise, and before you leave the system. Then the IR team will never have an opportunity to even know they have been attacked. If the attack is detected, the goal is for forensics to not be able to build a timeline of the attack.
Congratulations @pwnedu! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Vote for @Steemitboard as a witness to get one more award and increased upvotes!