The most common anti-forensics technique is covering one's tracks. An attacker will try to make it as difficult as possible for forensic investigators to identify how the attack commenced, and who is responsible. In some cases, the attacker may even be able to erase any evidence that an attack has taken place. Covering tracks is made possible by obfuscating the source of a malicious event and removing any residual traces of that event before leaving the target environment. Covering tracks is also viable in situations where the attack persists after the main exploit phase; this helps the attacker hide their initial exploits as well as their ongoing compromise.
In a pen test, you aren't going to truly hide your attack from the organization—after all, you were hired to report vulnerabilities to the client, not to keep them secret. However, you can still try to cover your tracks at the end of the test to demonstrate to the client that they'll have serious difficulties handling an incident. If you're authorized to go through with this type of anti-forensics attack, then you should first make sure that you've recorded all of the data you'll need for your final report. You don't want to delete all evidence of your attack, only to later be unable to present that evidence to the organization as proof of compromise. You should also be careful not to cause any collateral damage and erase important data that wasn't part of the attack.
Check out timestomp in mimikatz:
Techniques for Covering Your Tracks
The following are some example techniques you can use to cover your tracks:
- Clearing whole event logs. Tools like Metasploit include commands for clearing an entire event log on a machine that you're currently exploiting. Because it clears every log rather than specific ones, this may raise suspicion; however, it can still make it harder for a forensic analyst to do their job. In a Meterpreter session, clearev will clear all Windows event logs. If you have a direct command shell, you can also clear individual log categories. For example: wevtutil cl Application clears the application log. To clear logs on a Linux system, you can use one of several methods that you'd use to clear any text file. For example, to clear the syslog: echo "" > /var/log/syslog.
- Clearing specific event log entries. Rather than wiping a log entirely and giving investigators something to be suspicious about, you can instead remove specific entries that would reveal your attack. For example, say you've logged in to a Linux system using a backdoor account called "backdr". Before leaving, you could wipe any entries in auth.log that show the account logging in, rather than clearing the entire log. You can use a variety of methods to do this. The following example uses sed to delete all lines matching the given string while keeping the other lines intact: sed -i '/backdr/d' /var/log/auth.log.
- Changing or forging event log entries. Rather than directly removing an entry or an entire log, it may be more beneficial to simply alter entries. For example, altering a user logon entry in Windows security logs may enable you to frame another individual. You could also forge an event by stealing a privileged user's token and then performing a malicious task; the event will be recorded as if it were performed by the user whose token you stole. You can steal a Windows user's token in Meterpreter by entering steal_token <PID> where <PID> is the process ID of a process that is owned by the user whose token you want to steal.
- Erasing shell history. Certain shells, like Bash shells on Linux, store the last n commands in history. A forensic analyst can retrieve this history and piece together your executed commands. However, you can cover your tracks by setting the command history to zero before executing the commands. For a Bash shell, this command is export HISTSIZE=0. In case the system has already recorded a shell history and you want to delete it, you can enter echo "" > ~/.bash_history and history -c. On Windows, you can clear the history of cmd.exe by pressing Alt+F7 or by simply terminating the process. You clear the history in PowerShell by using the Clear-History cmdlet.
- Shredding files or erasing data securely. Since simply deleting a file using standard OS features won't erase that file securely, you may want to perform data wiping techniques to prevent forensic investigators from recovering the incriminating information. On Linux systems, this is known as shredding, because the shred command can overwrite files on storage to ensure complete removal. For example, the command shred -zu /root/keylog.bin will overwrite the file with zeros to hide the fact that it was shredded, then the file will be removed. Windows doesn't have a built-in command-line equivalent to file-based shredding, but you can overwrite an entire volume with zeros by formatting the volume: format d: /fs:NTFS /p:1 where the /p switch indicates how many passes the zeroing operation will do.
- Changing timestamp values. Good forensic investigators will attempt to reconstruct a narrative of events by correlating event data. One of the most important attributes in event correlation is time. If you can modify the time that certain events are recorded, you can deceive investigators into believing a false narrative. Changing time-based values is not just limited to event logs, either. Altering a file's MACE (modified, accessed, created, entry modified) metadata can confuse and misdirect investigators into thinking that your attack happened at a different time, or has lasted for a longer or shorter amount of time than it actually has. You can use the timestomp command in Meterpreter to change MACE values. The command timestomp file.docx -z "07/21/2018 16:21:05" changes all four MACE values for a file to the specified time.