10 / Cleanup
Remove artifacts, clear event logs, erase command history and cover your tracks on both Windows and Linux AD machines. Document what you cleaned for the pentest report.
wevtutil el | ForEach-Object { wevtutil cl "$_" }
# or single log:
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
Remove-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Force # or clear current session: Clear-History
Remove-Item C:\Windows\Prefetch\* -Force
del /f /q C:\Windows\Temp\payload.exe del /f /q C:\Windows\Temp\nc.exe del /f /q C:\Users\*\Desktop\rce.exe
net user hacker /delete # domain account: Remove-ADUser -Identity hacker -Confirm:$false
sc.exe config cfn-hup binpath="C:\original\path\to\service.exe"
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f Remove-Item "$env:TEMP\*" -Recurse -Force
schtasks /delete /tn "TaskName" /f
# Document changes made during the test # Use dacledit.py to remove added rights dacledit.py $DOMAIN/$USERNAME:'<password>'@$TARGET_IP \ -action remove -rights FullControl -target <target_object> -ace-target <your_user>
history -c && history -w echo "" > ~/.bash_history unset HISTFILE
sed -i '/your_public_key/d' ~/.ssh/authorized_keys
/var/log/auth.log /var/log/syslog /var/log/<service>/ /var/log/apache2/access.log
rm -f /tmp/chisel /tmp/socat /tmp/linpeas.sh rm -f ~/Tools/ntlm_theft/test*
# For each item: # - What was created/modified (file path, registry key, AD object, service) # - When it was created # - Whether it was successfully removed # - Any residual changes that could not be reverted