Cleanup techniques
On-host artifact removal and anti-forensics primitives applied at the end of an operation. Each package targets one specific class of artifact (file on disk, memory region, NTFS timestamp, service registration, in-memory state). Compose them as the implant tears itself down.
TL;DR
A typical end-of-mission chain: memory.WipeAndFree keys → timestomp any
artefacts you can't delete → wipe.File what you can → service.HideService
or unregister → selfdelete.Run (or bsod.Trigger if egress is critical).
Where to start (novice path):
memory-wipe— applies during the operation (not just at end). Wipe keys / decrypted bytes as soon as you're done with them.self-delete— most common end-of-op cleanup. Drop the running EXE from disk while the process keeps executing.wipe+timestomp— pair when you can't delete (loaded library, reference held by another process).ads— for stashing payloads / state during ops, not just cleanup.bsod— last-resort kill switch only. Destructive + irreversible.
Packages
| Package | Tech page | Detection | One-liner |
|---|---|---|---|
cleanup/ads | ads.md | quiet | NTFS Alternate Data Streams CRUD |
cleanup/bsod | bsod.md | very-noisy | Trigger BSOD via NtRaiseHardError — last-resort kill switch |
cleanup/memory | memory-wipe.md | very-quiet | SecureZero / WipeAndFree / DoSecret for in-process secrets |
cleanup/selfdelete | self-delete.md | moderate | Delete the running EXE via NTFS ADS rename + delete-on-close |
cleanup/service | service.md | noisy | Hide a Windows service via DACL manipulation |
cleanup/timestomp | timestomp.md | quiet | Reset $STANDARD_INFORMATION MAC timestamps |
cleanup/wipe | wipe.md | quiet | Multi-pass random overwrite then os.Remove |
Quick decision tree
| You want to… | Use |
|---|---|
| …forget keys/credentials still in process memory | memory.SecureZero or memory.WipeAndFree |
…make a dropped artefact's mtime match notepad.exe | timestomp.CopyFrom |
| …shred a file before removing it | wipe.File (low-volume forensics) or pair it with timestomp |
| …delete the running EXE and exit cleanly | selfdelete.Run |
| …terminate the host immediately to stop log shipping | bsod.Trigger (last resort) |
…hide a Windows service from services.msc | service.HideService |
| …stash a payload on disk where Explorer can't see it | ads.Write |
MITRE ATT&CK
| T-ID | Name | Packages | D3FEND counter |
|---|---|---|---|
| T1070 | Indicator Removal | cleanup/memory, cleanup/timestomp, cleanup/wipe, cleanup/selfdelete | D3-RAPA, D3-PFV |
| T1070.004 | File Deletion | cleanup/wipe, cleanup/selfdelete | D3-PFV |
| T1070.006 | Timestomp | cleanup/timestomp | D3-FH (File Hashing) |
| T1529 | System Shutdown/Reboot | cleanup/bsod | D3-PSEP |
| T1543.003 | Create or Modify System Process: Windows Service | cleanup/service | D3-RAPA |
| T1564 | Hide Artifacts | cleanup/service, cleanup/ads | D3-RAPA |
| T1564.004 | NTFS File Attributes | cleanup/ads | D3-FCR (File Content Rules) |