It involves removing or deleting any evidence of the penetration test, including logs, files and other digital footprints to prevent detection by the system administrators or security team.
🔹Do not leave any trail that can lead back to you.
Shred
Auditpol
Common logs - Event logs - Firewall logs - Netflow logs - System logs
Tools
Microsoft system internals i.e SDelete, Process explorer, Autoruns
Clear logs i.e syslog - Microsoft Event viewer
Disabling logging services like rsyslog and then deleting logs is the most effective way to cover tracks by clearing logs on a Linux system.
The shred command securely overwrites files to prevent recovery, but
using it on log files without first stopping the logging service is
ineffective. clearev #clear apps, system & security logs MSTSC PowerShell tool & RDP >mstsc /public >mstsc /public
/v:192.168.1.10 - Prevents credentials caching. - Disables saving of
user settings. Deploying rootkits to hide the presence of malicious software or
unauthorized access. Application Rootkits can obscure files, processes, and network
connections, making it difficult for system administrators to detect the
hacker’s activities. Changing File Timestamps.
Can be used to change the creation, modification, and access times of
files to mislead forensic investigations. Network Traffic Obfuscation. Using techniques to disguise or encrypt network traffic to
prevent detection by intrusion detection systems (IDS). This can involve tunneling traffic through secure channels or
using VPNs to mask the source of the traffic. This helps in masking the source of the attack and makes it harder
to trace back to the ethical hacker. Tor
Methods
$cd /var/logs | ls
$ls
$shred file.log
$echo $SHELL $nano ~/.bash_history or zsh_history $history -c
Microsoft Windows.
Using Rootkits.
Tools
Metasploit framework
Touch command
timestamp
bulkFileChanger
PowerShell
Exiftool
Using Anonymizing Tools.
Tools
Proxy servers
VPNs
Dumping used equipments.
Fire - Paper shredder