CodeX's Terminal Window
  • root@codex
  • 🐙Red Team
    • Red Team OPSEC
      • Initial Recon
      • Weaponization
      • Infrastructure
        • Example Red Team Infra
        • Cobalt Strike Redirectors
        • Using SSH Tunneling to secure C2 infra
      • Phishing
      • Internal Recon
      • Lateral Movement
      • Post-Exploitation
      • Exfiltration
      • Cleanup
    • Red Team TTPs
      • Active Directory
      • Persistence
      • Exfiltration
      • Phishing
      • Windows Bypasses
    • Red Team Dev
      • Extending Havoc C2
        • Third Party Agents
          • 1: Understanding the interface
          • 2: Writing the agent
          • 3: Writing the agent handler
          • 4: Testing the agent
      • Loader Dev
        • In Memory OPSEC
          • PE Structures
          • Memory Permissions and Allocation Types
          • In Memory Signatures
          • Thread Stack
          • Windows Events
          • Userland Hooks
          • AMSI & ETW
        • Evasion Adventures
        • Loader basics
        • Sleep masking
        • Mimikatz vs Windows Defender
        • Indirect syscalls
    • Cobalt Strike
      • Modifying the Sleep Mask Kit
      • Discord Beacon Notifications
      • Evading Hunt-Sleeping-Beacons
      • Beacon Object Files
    • Misc. Interesting Stuff
  • 🛡️Blue Team
    • Detecting Cobalt Strike
      • Sleep Mask Kit IOCs
      • Hunting Beacon in the heap
      • Decrypting C2 traffic with known key
  • 🚩CTF Solutions
    • Cyber Defenders Discovery Camp 2021
      • 👁️‍🗨️Lets Go Hunting
      • 🐧Linux Rules The World!
      • 📻Going active
      • 🗄️File it away
      • 😷Behind the mask
  • Box challenges
    • 📦Box Writeups
  • Me myself and I
    • root@codex #
Powered by GitBook
On this page
  1. Red Team
  2. Red Team OPSEC

Cleanup

Cleaning up after the conclusion of an offensive operation is important. For OPSEC reasons, you want to minimize the footprint left on the target after you have completed your objective, to reduce the chances of being detected and/or investigated post operation. Additionally, any tools left in the target network when they eventually do discover the operation should be considered burnt. Any publicly facing offensive infrastructure should also be torn down to limit the time frame defenders have to probe and inspect the infra. Therefore, it is important that we cover our tracks well before leaving a target. Not to mention it is considered bad practice to leave live malware in a client's network after an engagement.

  • Set kill dates on all your implants

    • End date of engagement

  • Add remote kill switches where possible

    • does X domain contain X content?

    • is X domain registered?

    • anything that you can control externally that the implant can access

  • Destroy relevant logs (where possible)

    • Windows event logs

    • ETW

    • Locally stored EDR logs

  • Destroy all host artifacts

    • Dropped files

    • Registry keys

    • Scheduled tasks

    • WMI triggers

    • Startup tasks

  • Destroy publicly facing offensive infrastructure

    • redirectors

    • staging servers

    • cover pages

    • domains

PreviousExfiltrationNextRed Team TTPs

Last updated 2 years ago

🐙