Skip to content

Home

Jump to bottom
Ido Veltzman edited this page May 9, 2022 · 8 revisions

Description

MrKaplan is a tool aimed to help red teamers to stay hidden and clear as much as traces possible. It works by saving information such as the time it ran, under which user and "reverting" the computer to look like before MrKaplan ran.

What this wiki contains?

  • This page (Switches, motivation).
  • Explanation on each module.
  • Explanation on each artifact and why it is here.

Switches and their meaning

As you saw from the help command, there are few options that MrKaplan can run with:

  • -Users: This option cannot be run with -RunAsUser, the users option allows to delete artifacts for another users on the current PC (the current user comes by default and there is no need to add it).
  • -RunAsUser: This option cannot be run with -Users, the RunAsUsers option allows to delete artifact with only user privileges.
  • -EtwBypassMethod: This option cannot be run with -RunAsUser, the EtwBypassMethod option allows to choose which method will be selected to stop event logging (You can read more about it in the Event Logging bypass section).
  • -Exclusions: This option allows you to control what evidence won't be cleaned. Current supported evidences:
    • eventlogs => Do not stop ETW
    • pshistory => Do not overwrite PowerShell history
    • userassist => Do not clear UserAssist registry key
    • bamkey => Do not clear the BAM registry key.
    • comdlg32 => Do not clear the ComDlg32 registry key.
    • appcompatcache => Do not clear the AppCompatCache registry key.
    • inetcache => Do not clear the INet cache folder.
    • windowshistory => Do not clear the windows history folder.
    • officehistory => Do not clear the office history folder.
    • cryptnetcache => Do not clear the CryptNetUrlCache folder.
    • prefetch => Do not clear prefetches.

Running states

  • begin: When you want to start your operation use this command with the switches above and MrKaplan will create the fitting config under HKCU:\Software\MrKaplan.
  • end: When you want to clean up evidences and finished your operation.
  • timestomp: When you want to timestomp a file in the end of your operations use this command with -StompedFilePath to save the required information.

Why you created this project?

I see a lot of tools that aim to leave no traces behind and re-implement the same checks (and missing some) to remove artifacts. The purpose of this tool is to be an easy, plug and play tool for any red teamers to make their life easier and erase every trace with one command.

What is planned for this project?

Currently I'm working on several things:

  • Add more artifacts
  • Create a version as module

Why you chose PowerShell?

It is an easy language that installed on every modern windows computer and has great integration with the OS.

Clone this wiki locally