Development and operations a practical guide
Engagement modification removal checklist
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Consider This
- Operator Log Verification
| Engagement modification removal checklist ● Revert file system modifications ● Remove access mechanisms and backdoors ● Remove files dropped by an operator or operator’s tools ● Ensure file artifacts generated by the mechanism are removed. ● Examine the entire system to confirm that the mechanism was not inadvertently copied or moved. ● Remove or restore Registry keys if used. ● Restore modified files. ● Remove or replace launch files with the originals. ● Examine startup scripts if used. Note that startup content may have changed. ● Remove execution mechanisms. Remove the installation mechanism. ● Copy log files generated by the mechanism to the Red Team repository and remove them from the target system. ● Remove C persistence mechanisms ● Terminate C channels ● Continue connection monitoring for stray or missed mechanisms. ● Repeat the process for strays. ● Provide a list of all artifacts, names, hashes, locations, and their cleanup status to the TA. Consider This Sometimes the target organization may want specific artifacts (perhaps all) left on the network for training or tool and processing tuning purposes. This must be approved and documented prior to engagement closure. A list of all artifacts and modifications must still be provided to the target’s designated TA. Operator Log Verification Each operator must verify the completion of his or her operator logs prior to the end of an engagement. Each must also check that all operator logs, data collected via automation, target data, and screenshots have been appropriately named and stored in the engagement data folder. Consider This It’s best to perform operator log completion throughout the engagement. An engagement lead who has operators ensure logs are complete before the end of each day will significantly reduce missing logs or critical screenshots. Upon the notification of completion by the operators, the Red Team lead must review the consolidation. If the lead is satisfied that the data is complete, they should create a hashed compressed archive of all data. Copies made of the archive should be stored in an approved location. This archive is can bean encrypted removable media device that maintains controlled access or any approved location for storage of this sensitive data. The Red Team Lead is ultimately responsible for the acceptance, review, and consolidation of operator logs and all data. It is highly recommended that the Red Team Lead periodically check the team's repository during engagement execution to ensure that records are being completed, data is being appropriately named and stored, and logs reflect adherence to the ROE. Download 4.62 Mb. Share with your friends:
|