10 KiB
htARTE (HackTricks AWS Red Team Expert) !HackTricks!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Timestamps
An attacker may be interested in changing the timestamps of files to avoid being detected.
It's possible to find the timestamps inside the MFT in attributes $STANDARD_INFORMATION __ and __ $FILE_NAME.
Both attributes have 4 timestamps: Modification, access, creation, and MFT registry modification (MACE or MACB).
Windows explorer and other tools show the information from $STANDARD_INFORMATION.
TimeStomp - Anti-forensic Tool
This tool modifies the timestamp information inside $STANDARD_INFORMATION but not the information inside $FILE_NAME. Therefore, it's possible to identify suspicious activity.
Usnjrnl
The USN Journal (Update Sequence Number Journal) is a feature of the NTFS (Windows NT file system) that keeps track of volume changes. The UsnJrnl2Csv tool allows for the examination of these changes.
The previous image is the output shown by the tool where it can be observed that some changes were performed to the file.
$LogFile
All metadata changes to a file system are logged in a process known as write-ahead logging. The logged metadata is kept in a file named **$LogFile**, located in the root directory of an NTFS file system. Tools such as LogFileParser can be used to parse this file and identify changes.
Again, in the output of the tool it's possible to see that some changes were performed.
Using the same tool it's possible to identify to which time the timestamps were modified:
- CTIME: File's creation time
- ATIME: File's modification time
- MTIME: File's MFT registry modification
- RTIME: File's access time
$STANDARD_INFORMATION and $FILE_NAME comparison
Another way to identify suspicious modified files would be to compare the time on both attributes looking for mismatches.
Nanoseconds
NTFS timestamps have a precision of 100 nanoseconds. Then, finding files with timestamps like 2010-10-10 10:10:00.000:0000 is very suspicious.
SetMace - Anti-forensic Tool
This tool can modify both attributes $STARNDAR_INFORMATION and $FILE_NAME. However, from Windows Vista, it's necessary for a live OS to modify this information.
Data Hiding
NFTS uses a cluster and the minimum information size. That means that if a file occupies uses and cluster and a half, the reminding half is never going to be used until the file is deleted. Then, it's possible to hide data in this slack space.
There are tools like slacker that allow hiding data in this "hidden" space. However, an analysis of the $logfile and $usnjrnl can show that some data was added:
Then, it's possible to retrieve the slack space using tools like FTK Imager. Note that this kind of tool can save the content obfuscated or even encrypted.
UsbKill
This is a tool that will turn off the computer if any change in the USB ports is detected.
A way to discover this would be to inspect the running processes and review each python script running.
Live Linux Distributions
These distros are executed inside the RAM memory. The only way to detect them is in case the NTFS file-system is mounted with write permissions. If it's mounted just with read permissions it won't be possible to detect the intrusion.
Secure Deletion
https://github.com/Claudio-C/awesome-data-sanitization
Windows Configuration
It's possible to disable several windows logging methods to make the forensics investigation much harder.
Disable Timestamps - UserAssist
This is a registry key that maintains dates and hours when each executable was run by the user.
Disabling UserAssist requires two steps:
- Set two registry keys,
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgsandHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabled, both to zero in order to signal that we want UserAssist disabled. - Clear your registry subtrees that look like
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<hash>.
Disable Timestamps - Prefetch
This will save information about the applications executed with the goal of improving the performance of the Windows system. However, this can also be useful for forensics practices.
- Execute
regedit - Select the file path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameters - Right-click on both
EnablePrefetcherandEnableSuperfetch - Select Modify on each of these to change the value from 1 (or 3) to 0
- Restart
Disable Timestamps - Last Access Time
Whenever a folder is opened from an NTFS volume on a Windows NT server, the system takes the time to update a timestamp field on each listed folder, called the last access time. On a heavily used NTFS volume, this can affect performance.
- Open the Registry Editor (Regedit.exe).
- Browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem. - Look for
NtfsDisableLastAccessUpdate. If it doesn’t exist, add this DWORD and set its value to 1, which will disable the process. - Close the Registry Editor, and reboot the server.
Delete USB History
USB Device Entries are stored in the Windows Registry under the USBSTOR registry key. This key contains subkeys that are created when a USB Device is plugged into a PC or Laptop. The key can be found at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR. Deleting this key will delete the USB history.
You can also use the tool USBDeview to ensure that the entries are deleted (and to delete them).
Another file that saves information about USBs is the file setupapi.dev.log located in C:\Windows\INF. This file should also be deleted.
Disable Shadow Copies
To list shadow copies, use vssadmin list shadowstorage.
To delete them, run vssadmin delete shadow.
You can also delete them using the GUI by following the steps provided in https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html.
To disable shadow copies, follow the steps outlined in this link:
- Open the Services program by typing "services" into the text search box after clicking the Windows start button.
- Find "Volume Shadow Copy" from the list, select it, and access Properties by right-clicking.
- Choose "Disabled" from the "Startup type" drop-down menu, and confirm the change by clicking Apply and OK.
It is also possible to modify the configuration of which files are copied in the shadow copy by editing the registry key HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot.
Overwrite deleted files
- You can use a Windows tool:
cipher /w:C. This command instructs cipher to remove any data from the available unused disk space on the C drive. - You can also use tools like Eraser.
Delete Windows event logs
- Windows + R --> eventvwr.msc --> Expand "Windows Logs" --> Right-click each category and select "Clear Log".
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1".Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }.
Disable Windows event logs
reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f.- Disable the "Windows Event Log" service in the services section.
WEvtUtil.exec clear-logorWEvtUtil.exe cl.
Disable $UsnJrnl
fsutil usn deletejournal /d c:.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.