-
Notifications
You must be signed in to change notification settings - Fork 46
Files Module
This module contains every artifact that is file, why it is an artifact and why cleaning it up will help the attacker to stay hidden.
This artifact contains everything that ran with PowerShell for each user, and therefore will help the blue teams to see everything that the attacker ran with PowerShell and since many attackers nowadays using PowerShell this has a potential to reveal a lot of information. To clean this artifact, MrKaplan saves a snapshot of the PowerShell history file in the first run and replacing it at the end.
Prefetch is a file that helps to quickly load a program to the memory (when you first run any program it creates a prefetch for better execution time) by saving important data about the file (path, dlls, etc.), it also helps to the blue team to see what ran on the computer. To clean this artifact, MrKaplan checks the modification time and deleting it if it is within the selected time range.
This folder contains cached file from various of sources, for example resources and files that downloaded from the internet (e.g. if you watch a pdf document within outlook it will probably be saved there). One scenario is that an attacker will forget to clean that directory and therefore will leave their stager / malware there. MrKaplan checks the creation time and deleting it if it is within the selected time range.
This folder contains information about recently executed programs and can greatly help in investigation to figure out if certain program ran and where from. MrKaplan checks the creation time and deleting it if it is within the selected time range.
This folder contains information about recently opened documents and can greatly help in investigation in case of infection via malicious office file (e.g. word with macro). MrKaplan checks the creation time and deleting it if it is within the selected time range.
This folder contains files that was downloaded with tools like curl, in case of using curl or any other windows LOLBAS this can help to the investigators to find the malicious stager / malware. MrKaplan checks the creation time and deleting it if it is within the selected time range.