Notes

Sec28 - Cleanup & Restoration

4 min read

Persistence Removal

  • Scheduled Tasks
    • Malicious tasks run scripts at intervals (e.g., steal credentials)
    • Windows: 
      schtasks /delete /tn "TaskName" /f
    • Linux: 
      crontab -e         # Remove malicious entries
  • Registry Keys (Windows)
    • Malware adds HKLM\...\Run or HKCU\...\Run entries
    • Removal:
      1. Open Registry Editor
      2. Delete suspicious values at:
        • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
        • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Hidden Files/Directories
    • Attackers store scripts/tools hidden (e.g., hidden Netcat) 
      ls -al /path/to/dir
    • Use file integrity tools (e.g., Tripwire); delete unauthorized files
  • User Accounts
    • Testers create local/AD accounts for access
    • Windows (Local): 
      net user malicious_user /delete
    • Windows (AD): Remove via Active Directory Users and Computers
    • Linux: 
      sudo userdel -r malicious_user
    ```
  • Remote Tools/Backdoors
    • RATs and backdoors remain post-test
    • Removal:
      • Run anti-malware (e.g., Malwarebytes)
      • Manually uninstall known RAT binaries and data

Revert Configuration Changes

  • Firewall Rules
    • Tests may open ports (e.g., TCP 8080) 
      netsh advfirewall reset #windows
ufw reset # linux ufw
systemctl restart firewalld #linux firewall
  • Database Configurations
    • Permissions loosened for testing (e.g., open SQL access)
    • Revert: Restore original access controls (e.g., revoke test roles) 
      ALTER USER test_user ACCOUNT LOCK;
  • Logging & Monitoring
    • Logs disabled to conceal activity
    • Windows: 
      sc config EventLog start= auto
sc start EventLog
    • Linux: 
      systemctl start rsyslog
    • Confirm retention and rotation are correct
  • System & Application Settings
    • Security features (encryption, authentication) turned off
    • Revert: Re-enable features; verify via documented baseline
  • DNS Settings
    • Modified to redirect traffic to test servers 
      Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ResetServerAddresses
  • Documentation
    • Key: Document original settings pre-test to ensure accurate restoration

Created Credentials Removal

  • Types
    • User Accounts: Local or AD
    • Shells/Tools: Backdoor shells, RATs
    • API Keys/Tokens: Temporary cloud credentials
  • Removal
    • Local Accounts:
      • Windows: net user username /delete
      • Linux: sudo userdel -r username
    • Domain Accounts: Delete via ADUC to prevent reuse
    • API Keys/Tokens:
      • AWS: Revoke in IAM → Users → Security Credentials
      • GCP: IAM & Admin → Service Accounts → Delete Key
  • Key Takeaways:
    • Document all test-created credentials
    • Remove from every system/service to eliminate backdoor risk

Removal of Testing Tools

  • In-memory Tools
    • Disappear on reboot (e.g., Meterpreter shell)
    • Action: Reboot or kill processes: 
      pkill -f meterpreter
  • Persistent Tools
    • Remain on disk (e.g., keyloggers)
    • Removal:
      • Uninstall via program uninstaller or delete binaries and configs
  • Secure Deletion
    • Deletion alone leaves recoverable traces
    • Linux: 
      shred -u /path/to/file
    • Windows:
      • Use CCleaner secure delete or SDelete: 
        sdelete -z C:\path\to\malware\
  • Vulnerability Scanner Agents
    • Uninstall via built-in uninstaller; securely delete leftover logs (/var/log/nessus/, C:\ProgramData\Nessus\)
  • Automated Tasks & Scripts
    • Linux: 
      crontab -e
# Remove test cron entries
    • Windows: 
      schtasks /delete /tn "TestTask" /f
  • Key Takeaway: Ensure no residual tools/scripts remain to prevent future exploitation

Decommission Testing Infrastructure

  • Importance
    • Prevent unauthorized access to idle resources; minimize costs; comply with policies
  • Steps
    • Identify Resources: Inventory VMs, DBs, storage, network components via cloud console
    • Terminate Instances:
      • AWS: EC2 Dashboard → Select instances → Terminate
      • RDS: Delete instances (handle backups per policy)
    • Cleanup Storage: 
      aws s3 rb s3://test-bucket --force
      • Delete EBS volumes, S3 buckets not auto-removed
    • Network Cleanup: Remove VPCs, subnets, security groups, route tables to close holes
    • Logs & Monitoring: Archive essential logs securely; delete unnecessary logs
  • Key Takeaways:
    • Document all resources pre-test to avoid oversight
    • Use cloud-native tools/scripts for efficient identification and termination
    • Update decommission procedures with new service offerings

Artifact Preservation

  • Artifacts: Logs, screenshots, config files, scripts generated during testing
  • Steps
    • Secure Storage of Logs: Encrypt scanner reports (e.g., Nmap, Nessus) in protected repos
    • Document Configurations: Save scripts and parameters (e.g., sqlmap -u https://target.com --dump)
    • Screenshots: Capture evidence of exploits, label clearly (e.g., CVE-2020-1234_success.png)
    • Detailed Notes & Timeline: Record date, time, action, result (e.g., “2025-06-10 14:00 – Phishing → 1 click”)
    • Handle Sensitive Data: Anonymize or delete PII post-test; comply with GDPR/CCPA
  • Key Takeaways:
    • Thorough, organized artifact preservation ensures transparency and aids remediation
    • Secure handling of sensitive data maintains compliance and trust

Secure Data Destruction

  • Importance
    • Simple deletion leaves recoverable data; secure destruction prevents recovery
  • Methods
    • Shredding: Overwrite data multiple times
      • Linux: 
        shred -vzn 3 /dev/sdX
      • -n 3: three passes; -z: final zero-fill
    • HDD vs. SSD:
      • HDDs: Overwriting reliably erases sectors
      • SSDs: Use built-in secure-erase (e.g., hdparm --security-erase) 
        hdparm --user-master u --security-set-pass pass /dev/sdX
hdparm --user-master u --security-erase pass /dev/sdX

Graph View