MrKaplan : Tool Aimed To Help Red Teamers To Stay Hidden By Clearing Evidence Of Execution

MrKaplan is a tool aimed to help red teamers to stay hidden by clearing evidence of execution. It works by saving information such as the time it ran, snapshot of files and associate each evidence to the related user.

This tool is inspired by MoonWalk, a similar tool for Unix machines.

You can read more about it in the wiki page.

Features

• Stopping event logging.
• Clearing files artifacts.
• Clearing registry artifacts.
• Can run for multiple users.
• Can run as user and as admin (Highly recommended to run as admin).
• Can save timestamps of files.
• Can exclude certian operations and leave artifacts to blue teams.

Usage

• Before you start your operations on the computer, run MrKaplan with begin flag and whenever your finish run it again with end flag.
• DO NOT REMOVE MrKaplan registry key, otherwise MrKaplan will not be able to use the information.

IOCs

• Powershell process that access to the artifacts mentioned in the wiki page.
• Powershell importing weird base64 blob.
• Powershell process that performs Token Manipulation.
• MrKaplan’s registry key: HKCU:\Software\MrKaplan.