RED-TEAM: Wipe Forensics Traces

Useful commands

Linux

Command History:

unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG
export HISTFILE=/dev/null
export HISTSIZE=0
export HISTFILESIZE=0

Web History: Check corresponding middleware

System log:

sudo systemctl stop systemd-journald
rm -rf /var/log/*

Vim log:

rm -rf ~/.viminfo
:set history=0

SSH No-TTY: (Prevent from w / last and ~/.ssh/known_hosts)

ssh -T -o UserKnownHostsFile=/dev/null root@localhost.local

Windows

System Eventlog Clean:

https://github.com/hlldz/Invoke-Phant0m
https://github.com/QAX-A-Team/EventCleaner

System Eventlog Fulfill to override:

eventcreate -l system -so administrator -t warning -d "this is a test" -id 500

MSTSC connection logs:

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
cd %userprofile%\documents\attrib Default.rdp -s -h
del Default.rdp

MSTSC Bitmap Caching:

del /a /f %localappdata%\Microsoft\Terminal Server Client\Cache

MiniNT registry to stop event log, but require rebooting:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\\Control\MiniNt”