From 66c37e8b53b1bf4d5cadb342a50401e052d2b1ae Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Tue, 31 Oct 2017 12:56:52 -0700
Subject: [PATCH] Evasion and exfil

+ Added wevtutil and fsutil per what was used recently by BadBuddy Ransomware.
+ Added 2 ways to compress data with Powershell and rar.
---
 .../Defense Evasion/Indicator_Removal_on_Host.md   | 14 ++++++++++++++
 Windows/Exfiltration/Data_Compressed.md            | 11 +++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 Windows/Exfiltration/Data_Compressed.md

diff --git a/Windows/Defense Evasion/Indicator_Removal_on_Host.md b/Windows/Defense Evasion/Indicator_Removal_on_Host.md
index 635e4f78..5be6bba5 100644
--- a/Windows/Defense Evasion/Indicator_Removal_on_Host.md	
+++ b/Windows/Defense Evasion/Indicator_Removal_on_Host.md	
@@ -11,3 +11,17 @@ Clear system logs
 Clear Security logs
 
     wevtutil cl Security
+
+Clear Setup logs
+
+    wevtutil cl Setup
+
+Clear Application logs
+
+    wevtutil cl Application
+
+## Fsutil
+
+Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
+
+    fsutil usn deletejournal /D C:
diff --git a/Windows/Exfiltration/Data_Compressed.md b/Windows/Exfiltration/Data_Compressed.md
new file mode 100644
index 00000000..ac2307f9
--- /dev/null
+++ b/Windows/Exfiltration/Data_Compressed.md
@@ -0,0 +1,11 @@
+# File Deletion
+
+MITRE ATT&CK Technique: [T1002](https://attack.mitre.org/wiki/Technique/T1002)
+
+## PowerShell
+
+    powershell.exe dir c:\* -Recurse | Compress-Archive -DestinationPath C:\test\Data.zip
+
+## Rar
+
+    rar a -r exfilthis.rar *.docx