Covering Tracks

Penetration Testing Wiki

Linux

Without administratives privileges

history -c
unset HISTFILE

With administrative privileges

gcc 0x333shadow.c -o 0x333shadow -D Linux
./0x333shadow -a -i $IP -l 5

Show times:

stats $FILE

Modify access times:

touch -a -d '23 Mar 2018 10:10' $FILE

Modify modification time:

touch -m -d '23 Mar 2018 10:10' $FILE

Windows

With administrative privileges

Delete entries in:

eventvwr

Without administrative privileges

Modify access times:

timestomp.exe $FILE -z "Thursday 23/03/2018 10:00:00 PM"
powershell -Command "(Get-Item $FILE).LastWriteTime = $(Get-Date).AddHours(-8)"