Data sanitization is a critical component of Red Team operations, especially when it comes to ensuring that sensitive data is securely deleted or obulated from a system after use. Here is a list of 30 PowerShell scripts tailored for Red Teamers to sanitize data on Windows systems. These scripts range from simple file deletion to more complex processes like overwriting files, wiping drives, and clearing system logs. Each script serves a specific purpose in ensuring that data is thoroughly removed from the system.
1. Secure File Deletion
powershell
Copy code
Remove-Item -Path "C:\SensitiveData\*.*" -Force -RecurseComment: Recursively deletes all files and folders in a specified directory.
2. File Overwrite Before Deletion
powershell
Copy code
$files = Get-ChildItem -Path "C:\SensitiveData\*.*" -Recurse
foreach ($file in $files) {
$content = Get-Random -Minimum 0 -Maximum 255 | Out-String
Set-Content -Path $file.FullName -Value ($content * 10)
Remove-Item -Path $file.FullName -Force
}Comment: Overwrites the content of files with random data before deleting them.
3. Disk Cleanup
powershell
Copy code
Start-Process -FilePath "cleanmgr.exe" -ArgumentList "/sagerun:1" -NoNewWindow -WaitComment: Runs Windows Disk Cleanup with predefined settings to remove temporary files, system caches, and more.
4. Wipe Free Space
powershell
Copy code
cipher /w:C:Comment: Overwrites the free space on a drive to ensure that deleted files cannot be recovered.
5. Clear Event Logs
powershell
Copy code
wevtutil cl System
wevtutil cl Application
wevtutil cl SecurityComment: Clears specified event logs to remove traces of activity.
6. Clear All Event Logs
powershell
Copy code
Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }Comment: Clears all event logs across the system.
7. Remove Prefetch Data
powershell
Copy code
Remove-Item -Path "C:\Windows\Prefetch\*" -ForceComment: Deletes all files in the Windows Prefetch directory.
8. Delete Recycle Bin Contents
powershell
Copy code
Clear-RecycleBin -ForceComment: Empties the Recycle Bin.
9. Remove Internet Explorer Cache
powershell
Copy code
Remove-Item -Path "C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\*" -Force -RecurseComment: Deletes the Internet Explorer cache for all users.
10. Clear DNS Cache
powershell
Copy code
Clear-DnsClientCacheComment: Clears the DNS resolver cache on the local machine.
11. Remove Temporary Files
powershell
Copy code
Remove-Item -Path "C:\Users\*\AppData\Local\Temp\*" -Force -RecurseComment: Deletes all temporary files for all users.
12. Overwrite and Delete Pagefile
powershell
Copy code
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "ClearPageFileAtShutdown" -Value 1
Restart-ComputerComment: Configures the system to clear the pagefile at shutdown, then restarts the computer.
13. Wipe System Restore Points
powershell
Copy code
vssadmin delete shadows /for=C: /all /quietComment: Deletes all system restore points on the specified drive.
14. Remove Installed Software Entries
powershell
Copy code
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" | ForEach-Object { Remove-Item -Path $_.PSPath }Comment: Deletes registry entries for installed software, hiding traces of software usage.
15. Clear Windows Update History
powershell
Copy code
Remove-Item -Path "C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log" -ForceComment: Deletes Windows Update history logs.
16. Securely Wipe a Specific Directory
powershell
Copy code
$files = Get-ChildItem -Path "C:\SensitiveData" -Recurse
foreach ($file in $files) {
$content = Get-Random -Minimum 0 -Maximum 255 | Out-String
Set-Content -Path $file.FullName -Value ($content * 100)
Remove-Item -Path $file.FullName -Force
}Comment: Overwrites all files in a directory multiple times with random data before deletion.
17. Reset System Logs
powershell
Copy code
New-EventLog -LogName "Application" -Source "App"
New-EventLog -LogName "System" -Source "Sys"
New-EventLog -LogName "Security" -Source "Sec"Comment: Resets the event logs by creating new ones.
18. Delete Windows Prefetch Data
powershell
Copy code
Remove-Item -Path "C:\Windows\Prefetch\*" -Force -RecurseComment: Deletes all files in the Prefetch folder to remove traces of executed programs.
19. Remove All Scheduled Tasks
powershell
Copy code
Get-ScheduledTask | ForEach-Object { Unregister-ScheduledTask -TaskName $_.TaskName -Confirm:$false }Comment: Removes all scheduled tasks from the system.
20. Remove Network History
powershell
Copy code
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name "ProxyServer" -Force
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name "ProxyOverride" -ForceComment: Removes network and proxy history from the system.
21. Delete Shellbag Entries
powershell
Copy code
Remove-Item -Path "HKCU:\Software\Microsoft\Windows\Shell\BagMRU" -Recurse -ForceComment: Deletes Shellbag entries, which store information about previously accessed folders.
22. Overwrite and Delete Registry Keys
powershell
Copy code
$keys = Get-ChildItem -Path "HKCU:\Software\Microsoft\*"
foreach ($key in $keys) {
$new_value = Get-Random -Minimum 0 -Maximum 255
Set-ItemProperty -Path $key.PSPath -Name "*" -Value $new_value
Remove-Item -Path $key.PSPath -Force
}Comment: Overwrites registry keys with random data before deleting them.
23. Securely Wipe Entire Disk
powershell
Copy code
Get-Volume -DriveLetter C | Format-Volume -FileSystem NTFS -Force -Confirm:$falseComment: Formats an entire disk, erasing all data.
24. Disable and Remove System Restore
powershell
Copy code
Disable-ComputerRestore -Drive "C:\"
vssadmin delete shadows /for=C: /all /quietComment: Disables and deletes all System Restore points.
25. Clear All Browser Histories
powershell
Copy code
$locations = @(
"C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History",
"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History",
"C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-release\places.sqlite"
)
foreach ($location in $locations) {
Remove-Item -Path $location -Force
}Comment: Deletes browsing history from major web browsers.
26. Clear Run Command History
powershell
Copy code
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -ForceComment: Clears the Run command history from the Windows registry.
27. Remove System Backups
powershell
Copy code
Remove-Item -Path "C:\WindowsImageBackup" -Force -RecurseComment: Deletes Windows system backup images.
28. Securely Wipe USB Drive
powershell
Copy code
Get-Volume -DriveLetter E | Format-Volume -FileSystem NTFS -Force -Confirm:$falseComment: Formats a USB drive, securely erasing all data.
29. Clear Clipboard History
powershell
Copy code
Set-Clipboard -Value ""Comment: Clears the clipboard to remove any copied data.
30. Overwrite and Delete Sensitive Registry Entries
powershell
Copy code
$keys = Get-ChildItem -Path "HKCU:\Software\Company\SensitiveData"
foreach ($key in $keys) {
$new_value = Get-Random -Minimum 0 -Maximum 255
Set-ItemProperty -Path $key.PSPath -Name "*" -Value $new_value
Remove-Item -Path $key.PSPath -Force
}Comment: Overwrites and deletes sensitive registry entries to ensure they cannot be recovered.
Conclusion
These 30 PowerShell scripts provide a comprehensive toolkit for data sanitization on Windows systems. They cover various aspects of data removal, from simple file deletions to more complex processes like overwriting data, clearing logs, and wiping entire drives. By utilizing these scripts, Red Teamers can ensure that sensitive data is securely removed from systems after operations, reducing the risk of recovery or forensic analysis. As always, it's important to use these tools responsibly and within the bounds of the law and organizational policy.