Windows Post Exploitation - Covering Your Tracks
My last link dump contained materials covering Windows Privilege Escalation. A logical next step would be to hide the evidence that you were on the system in an effort to slow Blue Team detection (if scope allows).
CMD
- CMD - https://www.penflip.com/pwnwiki/pwnwiki/blob/master/covering-tracks-windows.txt
- Enable Disable Event Logs - https://www.windows-commandline.com/enable-disable-event-log-service/
- PowerShell Remove-EventLog - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/remove-eventlog?view=powershell-5.1
- PowerShell Clear-EventLog - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/clear-eventlog?view=powershell-5.1
- cipher.exe - http://techgenix.com/Using-cipherexe/
Tutorials
- Null-Byte Cover Your Tracks & Leave No Trace - https://null-byte.wonderhowto.com/how-to/hack-like-pro-cover-your-tracks-leave-no-trace-behind-target-system-0148123/
- InfoSec Institute Pentesting Covering Tracks - http://resources.infosecinstitute.com/penetration-testing-covering-tracks/
- InfoSec Institute Ant-Forensics Pt1 - http://resources.infosecinstitute.com/anti-forensics-part-1/
- Hacker's Guide for Anti-Forensics - https://www.hackingloops.com/how-to-remove-traces-make-your-computer-untraceable/
- Two Data Hiding Techniques - http://windowsitpro.com/windows/two-data-hiding-techniques
- NTFS Streams - http://www.powertheshell.com/ntfsstreams/
Tools
- clearlogs.exe - http://ntsecurity.nu/toolbox/clearlogs/
- winzapper - http://ntsecurity.nu/toolbox/winzapper/
- snow.exe - http://www.darkside.com.au/snow/
- MP3stego - http://www.petitcolas.net/steganography/mp3stego/
- Steganography Tools - https://en.wikipedia.org/wiki/Steganography_tools
- OpenPuff - https://en.wikipedia.org/wiki/OpenPuff