4.3 Reporting & communications: Post-Report Activities Flashcards
What is the purpose of Post-Report Activities?
This ensures no artifacts or evidence were left on the target system, which include:
▪ Delete files
▪ Remove accounts
▪ Uninstall tools
▪ Restore configurations
▪ Restore log files
▪ Purge sensitive details
How to ensure that shells and tools are properly cleaned up in Windows and Linux?
Keep detailed notes of everything that was installed and every system that was exploited:
▪ Linux: Crontab, Startup script
▪ Windows: Startup, Registry key, Advanced techniques, Task scheduler
Some tools may have been loaded into memory when fileless malware was used
How to ensure the test credentials are properly deleted?
Check:
o Local Accounts
o Domain Accounts
o Web Application Accounts
o Delete all accounts used on different systems
o Delete all created domain accounts in Active Directory
o Some web application accounts require manual deletion in the user account database
o Delete all created accounts used for an engagement
How to ensure test data are destroyed on both Windows and Linux (5)?
Check:
o Systems
o Attacking Machines
o Internal Shared Drives
o Linux: Data Shredding = The process of securely destroying the data by overwriting storage with new data or a series of random ones and zeroes
o Windows: Install third-party tools
and save to an external hard drive
o Ensure all collected data has been properly destroyed
What are the lessons learned for at the end of an audit?
An analysis of the events that could provide insights into how to improve penetration testing process in the future