MrKaplan is a software aimed to assist crimson teamers to remain hidden by clearing proof of execution. It really works by saving data such because the time it ran, snapshot of information and affiliate every proof to the associated consumer.
This software is impressed by MoonWalk, an analogous software for Unix machines.
You possibly can learn extra about it within the wiki web page.
Options
- Stopping occasion logging.
- Clearing information artifacts.
- Clearing registry artifacts.
- Can run for a number of customers.
- Can run as consumer and as admin (Extremely really helpful to run as admin).
- Can save timestamps of information.
- Can exclude certian operations and go away artifacts to blue groups.
Utilization
- Earlier than you begin your operations on the pc, run MrKaplan with start flag and at any time when your end run it once more with finish flag.
- DO NOT REMOVE MrKaplan registry key, in any other case MrKaplan won’t be able to make use of the knowledge.
IOCs
-
Powershell course of that entry to the artifacts talked about within the wiki web page.
-
Powershell importing bizarre base64 blob.
-
Powershell course of that performs Token Manipulation.
-
MrKaplan’s registry key: HKCU:SoftwareMrKaplan.
Acknowledgements
Disclaimer
I am not accountable in any method for any form of harm that’s finished to your pc / program as explanation for this challenge. I am fortunately settle for contribution, make a pull request and I’ll overview it!