Cleanup

Cleaning up after the conclusion of an offensive operation is important. For OPSEC reasons, you want to minimize the footprint left on the target after you have completed your objective, to reduce the chances of being detected and/or investigated post operation. Additionally, any tools left in the target network when they eventually do discover the operation should be considered burnt. Any publicly facing offensive infrastructure should also be torn down to limit the time frame defenders have to probe and inspect the infra. Therefore, it is important that we cover our tracks well before leaving a target. Not to mention it is considered bad practice to leave live malware in a client's network after an engagement.

• Set kill dates on all your implants

  • End date of engagement

• Add remote kill switches where possible

  • does X domain contain X content?

  • is X domain registered?

  • anything that you can control externally that the implant can access

• Destroy relevant logs (where possible)

  • Windows event logs

  • ETW

  • Locally stored EDR logs

• Destroy all host artifacts

  • Dropped files

  • Registry keys

  • Scheduled tasks

  • WMI triggers

  • Startup tasks

• Destroy publicly facing offensive infrastructure

  • redirectors

  • staging servers

  • cover pages

  • domains