Cleanup

00:00

Hello and welcome to another penetration. Testing execution Standard discussion. Today we're going to be looking at cleanup within the post exploitation phase of the Pee test standard.

00:10

Now is a general reminder. Pee test videos do cover system tools, hacking techniques, things of that nature. And so any tools or techniques demonstrated should be researched and understood by the user. And any applicable laws and regulations should be understood and researched by the users well to ensure that they don't get into any trouble with the law.

00:29

Today's objectives are pretty straightforward. We want to discuss why we clean up

00:34

and some examples of clean up steps.

00:39

Now, why do we clean up? Well, It reduces the risk of a threat actor using our tools against the client. It reduces our liability. In the instance, the client is compromised post testing and it's the polite thing to do. I mean, you don't go to somebody's house

00:54

and walk through with dirty shoes on or something like that, and then just leave it land there or you don't volunteer to clean it up or something like that. I mean, the tester

01:02

again should document all modifications and changes made to systems so that they can reverse them at the conclusion of the test. And so, if you're not doing that than you're doing yourself a disservice to doing your climb into service and you're leaving their network

01:15

in a potentially vulnerable state. So here's some example. Steps that you can follow if you don't have a cleanup checklist already. So the process covers the requirements for cleaning up systems once the PIN test has been completed.

01:29

This includes all user accounts and miners used during the test. To remove all, execute a ble scripts and temporary files from compromise systems.

01:37

If possible, use secure. Delete methods for removing the files and folders. Return to original value system settings and application configuration parameters. If they were modified during the assessment, remove all back doors and root kits installed. Removed any user accounts created for connecting back to compromise systems. Now this isn't a comprehensive list.

01:57

And

01:59

if you did some type of testing for a client where they may be made an image of the system prior to you, doing testing

02:05

would be beneficial. Maybe to revert back to that image and just to be safe and ensure that everything's taken off of here. But like we said, if you leave something on a system, if something happens and you didn't clean up that system and they do some forensics and find that it was a tool you put there, that could be hard to explain later on, when you know,

02:23

state officials come looking to ask you why you hacked the system and you didn't have anything to do with it.

02:29

So in summary, we discussed why we clean up and some example steps for doing that again. If you've already got a list or away that you're doing this, by all means continue to follow it. But it's best practice to ensure that we clean up our mess and that we leave the crying in as good or a better state than we found them. So