Covering Tracks

From pentestwiki.org

Linux

Without administratives privileges

$history -c
$unset HISTFILE


With administrative privileges

root #gcc 0x333shadow.c -o 0x333shadow -D Linux
root #./0x333shadow -a -i $IP -l 5



Show times:

$stats $FILE


Modify access times:

$touch -a -d '23 Mar 2018 10:10' $FILE


Modify modification time:

$touch -m -d '23 Mar 2018 10:10' $FILE


Windows

With administrative privileges

  • Delete entries in
C:>eventvwr


Without administrative privileges

Modify access times:

C:>timestomp.exe $FILE -z "Thursday 23/03/2018 10:00:00 PM"


C:>powershell -Command "(Get-Item $FILE).LastWriteTime = $(Get-Date).AddHours(-8)"