Overview
MrKaplan is a tool aimed to help red teamers stay hidden and clear as much forensic traces as possible. It works by saving information such as the time it ran, under which user and “reverting” the computer to look like before MrKaplan ran.
MrKaplan is able to remove the following forensic artifacts:
- PowerShell History
- iNetCache
- Windows History
- Office History
- CryptNetCache
- Prefetch
- Windows Event Logs
- Windows Registry (UserAssist, comdlg32, bam, AppCompatCache)
| Tool Name | Version | MITRE ATT&CK Tactic | MITRE ATT&CK Technique |
|---|---|---|---|
| MrKaplan | v1.1.1 | Defense Evasion | Indicator Removal Modify Registry |
MrKaplan Help Page
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
.\MrKaplan.ps1 help
███╗░░░███╗██████╗░░░░██╗░░██╗░█████╗░██████╗░██╗░░░░░░█████╗░███╗░░██╗
████╗░████║██╔══██╗░░░██║░██╔╝██╔══██╗██╔══██╗██║░░░░░██╔══██╗████╗░██║
██╔████╔██║██████╔╝░░░█████═╝░███████║██████╔╝██║░░░░░███████║██╔██╗██║
██║╚██╔╝██║██╔══██╗░░░██╔═██╗░██╔══██║██╔═══╝░██║░░░░░██╔══██║██║╚████║
██║░╚═╝░██║██║░░██║██╗██║░╚██╗██║░░██║██║░░░░░███████╗██║░░██║██║░╚███║
╚═╝░░░░░╚═╝╚═╝░░╚═╝╚═╝╚═╝░░╚═╝╚═╝░░╚═╝╚═╝░░░░░╚══════╝╚═╝░░╚═╝╚═╝░░╚══╝
[*] Possible Usage:
[*] Show help message:
.\MrKaplan.ps1 help
[*] For config creation and start:
.\MrKaplan.ps1 begin
.\MrKaplan.ps1 begin -Users Reddington,Liz
.\MrKaplan.ps1 begin -Users Reddington
.\MrKaplan.ps1 begin -EtwBypassMethod overflow
.\MrKaplan.ps1 begin -RunAsUser
.\MrKaplan.ps1 begin -Exclusions BamKey, OfficeHistory
[*] For cleanup:
.\MrKaplan.ps1 end
[*] To save file's timestamps:
.\MrKaplan.ps1 timestomp -StompedFilePath C:\path\to\file
Detecting MrKaplan
A YARA file is available via the MrKaplan Github page.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
/*
A rule to detect MrKaplan.
Author: Ido Veltzman (Idov31)
Date: 15-04-2022
*/
rule MrKaplanStandalone {
meta:
description = "A rule to detect MrKaplanStandalone."
author = "Idov31"
date = "2022-04-15"
strings:
$imports1 = /[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(.*) | Invoke-Expression/i nocase
$imports2 = /[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(.*) | iex/i nocase
$s1 = "MrKaplan.ps1" ascii nocase
$s2 = "Clear-Evidence" ascii nocase
$s3 = "EventLogSettings" ascii nocase
$s4 = "runAsUser" ascii nocase
$s5 = "PSHistory" ascii nocase
$s6 = "C:\\Users\\$($user)\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt" ascii nocase
$s7 = "HKCU:\Software\MrKaplan" ascii nocase
$s8 = "Invoke-StompFiles" ascii nocase
$s9 = "Clear-Files" ascii nocase
$s10 = "Clear-Registry" ascii nocase
$s11 = "Invoke-RestoreEtw" ascii nocase
$s12 = "Invoke-LogFileToStomp" ascii nocase
$s13 = "Invoke-SuspendEtw" ascii nocase
conditions:
any of $imports* and 3 of ($s*)
}
rule MrKaplan {
meta:
description = "A rule to detect MrKaplan."
author = "Idov31"
date = "2022-04-15"
strings:
$imports1 = "Import-Module .\\Modules\\Registry.psm1" ascii nocase
$imports2 = "Import-Module .\\Modules\\Files.psm1" ascii nocase
$imports3 = "Import-Module .\\Modules\\Eventlogs.psm1" ascii nocase
$imports4 = "Import-Module .\\Modules\\Utils.psm1" ascii nocase
$imports5 = "ipmo .\\Modules\\Registry.psm1" ascii nocase
$imports6 = "ipmo .\\Modules\\Files.psm1" ascii nocase
$imports7 = "ipmo .\\Modules\\Eventlogs.psm1" ascii nocase
$imports8 = "ipmo .\\Modules\\Utils.psm1" ascii nocase
$s1 = "MrKaplan.ps1" ascii nocase
$s2 = "Clear-Evidence" ascii nocase
$s3 = "EventLogSettings" ascii nocase
$s4 = "runAsUser" ascii nocase
$s5 = "PSHistory" ascii nocase
$s6 = "C:\\Users\\$($user)\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt" ascii nocase
$s7 = "HKCU:\Software\MrKaplan" ascii nocase
$s8 = "Invoke-StompFiles" ascii nocase
$s9 = "Clear-Files" ascii nocase
$s10 = "Clear-Registry" ascii nocase
$s11 = "Invoke-RestoreEtw" ascii nocase
$s12 = "Invoke-LogFileToStomp" ascii nocase
$s13 = "Invoke-SuspendEtw" ascii nocase
conditions:
4 of $imports* and 3 of ($s*)
}