Proposal: Artifact Management BOF #94
Description
Acknowledgment
I would like to start by thanking the AdaptixC2 developers for this incredible framework. The recent additions of the SAL, SAR, and Post-Ex BOFs have significantly enhanced the operator's experience and stealth capabilities. Your work is truly exceptional.
1. Concept
I am writing to propose the development of a dedicated Anti-Forensic BOF that integrates the core logic and capabilities of Idov31's Mr. Kaplan. This module would empower operators to manage their forensic footprint directly from the Beacon, ensuring a clean and professional decommissioning of any operation.
Reference Project: https://github.com/Idov31/MrKaplan
2. Proposed Features
The goal is to port the following functionalities from Mr. Kaplan into a BOF format for AdaptixC2:
Telemetry Suppression: Ability to temporarily stop or suspend event logging to prevent the recording of malicious activities.
Artifact Sanitization: Comprehensive clearing of both File and Registry artifacts (e.g., Prefetch, ShimCache, UserAssist) that record execution history.
Multi-User Support: Capability to identify and clear artifacts across multiple user profiles on the system.
Context Awareness: Designed to run effectively as both a standard User and as Admin/SYSTEM (leveraging full privileges for deep-system cleaning).
Temporal Integrity: Ability to save and restore original file timestamps to maintain a consistent forensic timeline.
Selective Filtering (Exclusion): A strategic feature to exclude certain operations from being cleaned, allowing the operator to leave "decoy" artifacts for Blue Teams while hiding the actual intent.
3. Strategic Value
By implementing these features as a BOF, AdaptixC2 will provide a professional "cleanup" suite that works entirely in-memory. This eliminates the need for external tools and ensures that the post-exploitation phase remains as stealthy as the initial breach.