Covering Tracks on Windows - Link Dump by pwnedu

View this thread on: hive.blog | peakd.com | ecency.com

hacking · @pwnedu · Sep 3 '17

Covering Tracks on Windows - Link Dump

<html>
<h1>Windows Post Exploitation - Covering Your Tracks</h1>
<p>My last link dump contained materials covering Windows Privilege Escalation. A logical next step would be to hide the evidence that you were on the system in an effort to slow Blue Team detection (if scope allows).&nbsp;</p>
<h2>CMD</h2>
<ul>
  <li>CMD - https://www.penflip.com/pwnwiki/pwnwiki/blob/master/covering-tracks-windows.txt</li>
  <li>Enable Disable Event Logs - https://www.windows-commandline.com/enable-disable-event-log-service/</li>
  <li>PowerShell Remove-EventLog - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/remove-eventlog?view=powershell-5.1</li>
  <li>PowerShell Clear-EventLog - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/clear-eventlog?view=powershell-5.1</li>
  <li>cipher.exe - http://techgenix.com/Using-cipherexe/</li>
</ul>
<h2>Tutorials</h2>
<ul>
  <li>Null-Byte Cover Your Tracks &amp; Leave No Trace - https://null-byte.wonderhowto.com/how-to/hack-like-pro-cover-your-tracks-leave-no-trace-behind-target-system-0148123/</li>
  <li>InfoSec Institute Pentesting Covering Tracks - http://resources.infosecinstitute.com/penetration-testing-covering-tracks/</li>
  <li>InfoSec Institute Ant-Forensics Pt1 - http://resources.infosecinstitute.com/anti-forensics-part-1/</li>
  <li>Hacker's Guide for Anti-Forensics - https://www.hackingloops.com/how-to-remove-traces-make-your-computer-untraceable/</li>
  <li>Two Data Hiding Techniques - http://windowsitpro.com/windows/two-data-hiding-techniques</li>
  <li>NTFS Streams - http://www.powertheshell.com/ntfsstreams/</li>
</ul>
<h2>Tools</h2>
<ul>
  <li>clearlogs.exe - http://ntsecurity.nu/toolbox/clearlogs/</li>
  <li>winzapper - http://ntsecurity.nu/toolbox/winzapper/</li>
  <li>snow.exe - http://www.darkside.com.au/snow/</li>
  <li>MP3stego - http://www.petitcolas.net/steganography/mp3stego/</li>
  <li>Steganography Tools - https://en.wikipedia.org/wiki/Steganography_tools</li>
  <li>OpenPuff - https://en.wikipedia.org/wiki/OpenPuff</li>
</ul>
</html>

👍 malay11

`author`	pwnedu
`permlink`	covering-tracks-on-windows-link-dump
`category`	hacking
`json_metadata`	{"tags":["hacking","windows","cybersecurity","tutorials","technology"],"links":["https://www.penflip.com/pwnwiki/pwnwiki/blob/master/covering-tracks-windows.txt","https://www.windows-commandline.com/enable-disable-event-log-service/","https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/remove-eventlog?view=powershell-5.1","https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/clear-eventlog?view=powershell-5.1","http://techgenix.com/Using-cipherexe/","https://null-byte.wonderhowto.com/how-to/hack-like-pro-cover-your-tracks-leave-no-trace-behind-target-system-0148123/","http://resources.infosecinstitute.com/penetration-testing-covering-tracks/","http://resources.infosecinstitute.com/anti-forensics-part-1/","https://www.hackingloops.com/how-to-remove-traces-make-your-computer-untraceable/","http://windowsitpro.com/windows/two-data-hiding-techniques","http://www.powertheshell.com/ntfsstreams/","http://ntsecurity.nu/toolbox/clearlogs/","http://ntsecurity.nu/toolbox/winzapper/","http://www.darkside.com.au/snow/","http://www.petitcolas.net/steganography/mp3stego/","https://en.wikipedia.org/wiki/Steganography_tools","https://en.wikipedia.org/wiki/OpenPuff"],"app":"steemit/0.1","format":"html"}
`created`	2017-09-03 17:59:18
`last_update`	2017-09-03 17:59:18
`depth`	0
`children`	5
`last_payout`	2017-09-10 17:59:18
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	2,084
`author_reputation`	38,394,115,304
`root_title`	"Covering Tracks on Windows - Link Dump"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	13,766,308
`net_rshares`	3,084,278,911
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
malay11	0 B		3,084,278,911	100%

@steemitboard · Jul 8 '19

Congratulations @pwnedu! You received a personal award!

<table><tr><td>https://steemitimages.com/70x70/http://steemitboard.com/@pwnedu/birthday2.png</td><td>Happy Birthday! - You are on the Steem blockchain for 2 years!</td></tr></table>

<sub>_You can view [your badges on your Steem Board](https://steemitboard.com/@pwnedu) and compare to others on the [Steem Ranking](https://steemitboard.com/ranking/index.php?name=pwnedu)_</sub>


###### [Vote for @Steemitboard as a witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1) to get one more award and increased upvotes!

properties (22)

`author`	steemitboard
`permlink`	steemitboard-notify-pwnedu-20190708t154412000z
`category`	hacking
`json_metadata`	{"image":["https://steemitboard.com/img/notify.png"]}
`created`	2019-07-08 15:44:12
`last_update`	2019-07-08 15:44:12
`depth`	1
`children`	0
`last_payout`	2019-07-15 15:44:12
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	612
`author_reputation`	38,975,615,169,260
`root_title`	"Covering Tracks on Windows - Link Dump"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	88,001,744
`net_rshares`	0

@zeronumbers · Sep 3 '17

Why not just use flashdrive with tails?

properties (22)

`author`	zeronumbers
`permlink`	re-pwnedu-covering-tracks-on-windows-link-dump-20170903t230908500z
`category`	hacking
`json_metadata`	{"tags":["hacking"],"app":"steemit/0.1"}
`created`	2017-09-03 23:09:54
`last_update`	2017-09-03 23:09:54
`depth`	1
`children`	3
`last_payout`	2017-09-10 23:09:54
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	39
`author_reputation`	1,085,940,622,400
`root_title`	"Covering Tracks on Windows - Link Dump"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	13,789,612
`net_rshares`	0

@pwnedu · Sep 4 '17

$0.36

Tails is great, but this is in reference to post exploitation on a windows device. Being anonymous and covering your tracks are related, but still very different. Just because you are attacking from tails does not mean that you will not leave indications of compromise.

👍 good-karma, esteemapp, feruz, bounties, steempoll, demo, tipping, mysteem

properties (23)vote details (8)

voter	rshares	pct
good-karma	100,272,221,258	0.5%
mysteem	84,110,067	1%
demo	162,276,774	1%
feruz	1,521,402,005	1%
esteemapp	2,067,428,911	1%
bounties	172,474,655	1%
steempoll	167,421,006	1%
tipping	152,152,984	1%

@zeronumbers · Sep 4 '17

Can you explain this more?

properties (22)

`author`	zeronumbers
`permlink`	re-pwnedu-re-zeronumbers-201793t192656958z-20170904t003212523z
`category`	hacking
`json_metadata`	{"tags":["hacking"],"app":"steemit/0.1"}
`created`	2017-09-04 00:33:00
`last_update`	2017-09-04 00:33:00
`depth`	3
`children`	1
`last_payout`	2017-09-11 00:33:00
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	26
`author_reputation`	1,085,940,622,400
`root_title`	"Covering Tracks on Windows - Link Dump"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	13,794,449
`net_rshares`	0

1 reply