# Windows Anti-Forensics: Erasing Tracks to Evade Blue Team in Red Team Ops

In red team engagements, persistence is only half the battle evasion is the other. A single overlooked log, cached DNS entry, or recoverable deleted file can unravel an entire operation. This post details a battle-tested sequence of native Windows commands designed to **systematically erase forensic artifacts** while minimizing noise and maximizing coverage.

These commands target:

* Red Ghost OpsFree spaceRed Ghost Ops (unrecoverable deletion)
    
* Red Ghost OpsEvent logsRed Ghost Ops
    
* Red Ghost OpsDNS cacheRed Ghost Ops
    
* Red Ghost OpsBrowser artifactsRed Ghost Ops
    
* Red Ghost OpsNTFS metadata (USN Journal)Red Ghost Ops
    
* Red Ghost OpsTemp files, prefetch, print spoolRed Ghost Ops
    
* Red Ghost OpsTelemetry and error reportingRed Ghost Ops
    

> Warning (Red Team Disclaimer): Use only in authorized engagements. These actions are irreversible and may trigger EDR alerts if not executed with proper OPSEC.

---

## 1\. Overwrite Free Space – Prevent File Recovery

```plaintext
cipher /w:C:\
```

* **Purpose**: Overwrites **all free space** on C:\\ with 0x00, 0xFF, and random data (3-pass pattern).
    
* **Impact**: Deleted files become **unrecoverable** by forensic tools (Recuva, Autopsy, etc.).
    
* **Risk**: High I/O and CPU usage. **Slow** (hours on large drives). No effect on active files.
    
* **Blue Team Counter**: Volume Shadow Copies (VSS) may still contain prior snapshots.
    

## 2\. Flush DNS Cache – Break Local Resolution Trails

```plaintext
ipconfig /flushdns
```

* **Purpose**: Clears locally cached DNS resolutions.
    
* **Impact**: Forces fresh DNS queries—removes evidence of C2 domains accessed.
    
* **Risk**: Low. May cause brief connectivity delays.
    
* **Blue Team Counter**: Network logs (firewall, DNS server) remain untouched.
    

---

## 3\. Clear System Event Log

```plaintext
wevtutil cl System
```

* **Purpose**: **Permanently deletes** the System event log.
    
* **Impact**: Removes boot, driver, service, and security events.
    
* **Risk**: **Irreversible**. Breaks incident timeline reconstruction.
    
* **Blue Team Counter**: SIEM ingestion prior to clear; Event Log backup services.
    

---

## 4\. Wipe IE/Edge Legacy Browser Artifacts

```plaintext
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
```

* **Purpose**: Deletes **history, cookies, cache, passwords, form data** from IE/Edge (legacy).
    
* **Impact**: Covers web-based C2 (e.g., Empire over HTTP).
    
* **Risk**: Low. Affects only IE/Edge components.
    
* **Blue Team Counter**: Modern Edge (Chromium) uses different storage—use browser-specific tools.
    

---

## 5\. Delete NTFS USN Change Journal

```plaintext
fsutil usn deletejournal /d /n C:
```

* **Purpose**: Erases the **USN Journal** ($UsnJrnl), which tracks file creation/modification/deletion.
    
* **Impact**: Breaks **incremental backups**, file indexing (Search, antivirus), and timeline analysis.
    
* **Risk**: **High**—may corrupt backup chains or trigger AV rescans.
    
* **Blue Team Counter**: Journal may auto-recreate on next change; prior entries lost.
    

---

## 6\. Clear User Temp Files

```plaintext
del /f /s /q %TEMP%\*.*
```

* **Purpose**: Force-deletes all files in the user’s temp directory.
    
* **Impact**: Removes payloads, scripts, or tools staged in %TEMP%.
    
* **Risk**: Low–moderate. Running apps may crash if files are in use.
    
* **Blue Team Counter**: File access monitoring (Sysmon Event ID 11) may log before deletion.
    

---

## 7\. Disable Hibernation & Delete hiberfil.sys

```plaintext
powercfg /hibernate off
```

* **Purpose**: Removes hiberfil.sys (size ≈ RAM), a common forensic goldmine (contains RAM dump).
    
* **Impact**: Frees space; prevents hibernation.
    
* **Risk**: Reversible (powercfg /hibernate on). Disables Fast Startup.
    
* **Blue Team Counter**: None if executed post-exfiltration.
    

---

## 8\. Reset TCP/IP Stack

```plaintext
netsh interface ipv4 reset
```

* **Purpose**: Clears custom IP/DNS settings, proxy configs, and interface state.
    
* **Impact**: Useful after using static routes or proxychains.
    
* **Risk**: Requires reconfig or reboot. May break VPNs.
    
* **Blue Team Counter**: Netflow or interface config logs.
    

---

## 9\. Clear Print Spooler Queue

```plaintext
del /q /f /s %systemroot%\System32\spool\PRINTERS\*
```

* **Purpose**: Deletes pending print jobs (often contain sensitive docs or stagers).
    
* **Impact**: Cancels all print jobs.
    
* **Risk**: Low. May require spooler restart if files locked.
    
* **Blue Team Counter**: PrintNightmare or spooler monitoring.
    

---

## 10\. Disable Telemetry

```plaintext
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
```

* **Purpose**: Sets telemetry to **0** (disabled) via GPO-style registry key.
    
* **Impact**: Reduces diagnostic data sent to Microsoft.
    
* **Risk**: Low. May not apply on Home editions.
    
* **Blue Team Counter**: Central telemetry collection (e.g., OMS, Defender ATP).
    

---

## 11\. Clear Prefetch Files

```plaintext
del /q /f /s %SystemRoot%\Prefetch\*.*
```

* **Purpose**: Deletes .pf files that record **application execution paths and timestamps**.
    
* **Impact**: Removes evidence of tool usage (e.g., mimikatz.exe).
    
* **Risk**: Temporary performance hit on app launch.
    
* **Blue Team Counter**: Prefetch parsing (e.g., PECmd, WinPMEM).
    

---

## 12\. Disable Windows Error Reporting

```plaintext
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1
```

* **Purpose**: Stops crash dumps and error reports.
    
* **Impact**: Prevents upload of memory dumps containing keys or tokens.
    
* **Risk**: Low. Hinders post-exploitation analysis.
    
* **Blue Team Counter**: Local WER queue before upload.
    

---

## Execution Order & OPSEC Tips

```plaintext
cipher /w:C:\
ipconfig /flushdns
wevtutil cl System
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
fsutil usn deletejournal /d /n C:
del /f /s /q %TEMP%\*.*
powercfg /hibernate off
netsh interface ipv4 reset
del /q /f /s %systemroot%\System32\spool\PRINTERS\*
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
del /q /f /s %SystemRoot%\Prefetch\*.*
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1
```

### OPSEC Recommendations:

* **Run as SYSTEM** (via psexec -s or token impersonation).
    
* **Disable EDR hooks** first (if possible).
    
* **Avoid GUI**—use cmd or PowerShell with -WindowStyle Hidden.
    
* **Stagger execution** to avoid I/O spikes.
    
* **Check VSS** first: vssadmin list shadows → delete if needed (/for=C:).
    

---

## What This **Doesn’t** Cover

* **Memory forensics** (use Rundll32.exe comsvcs.dll MiniDump countermeasures separately)
    
* **Modern Edge/Chrome** (use Get-Process msedge | Stop-Process + clear %LocalAppData%\\Microsoft\\Edge)
    
* **Sysmon/Event Forwarding**
    
* **MFT/$LogFile** (use fsutil behavior set disablecompression 1 + ntfsinfo)
    

---

## Final Notes

This sequence turns a compromised host into a **forensic black hole**. Blue team will see:

* No event logs
    
* No prefetch
    
* No DNS history
    
* No recoverable deleted files
    

> **Red Team Pro Tip**: Combine with **timestomping**, **logon spoofing**, and **AMS1 bypass** for full-spectrum evasion.

Stay ghosted.
