Lesson 01: The Residue Problem

Estimated read time: ~5 minutes • Last updated: September 4, 2025

OPSEC Forensics Defense Evasion

Learning Objectives

Define Indicators of Compromise (IOCs) and why they matter.
Identify common types of residue left behind during operations.
Recognize the risks of uncleaned residue to attribution and timeline reconstruction.
Apply practical steps to minimize, disguise, and remove residue without raising alarms.

Every action in cyberspace leaves behind residue—artifacts, logs, and traces of activity. Defenders call these Indicators of Compromise (IOCs). For operators, residue is a liability: the more you leave, the easier it becomes to reconstruct what you did, how long you were present, and where you came from.

Types of Residue & Where They Hide

File artifacts: dropped payloads, renamed binaries, scripts, prefetch entries, shim caches, LNK files, $MFT/$LogFile remnants, bash history, shell RC files.
System changes: persistence mechanisms (Win registry Run/RunOnce, services, WMI; Linux cron/systemd), security policy changes, EDR tampering traces.
Event logs: Windows Security/Sysmon, Linux syslog/auditd, application logs, firewall/IDS, VPN/proxy access logs.
Network traces: DNS queries, NetFlow, proxy logs, TLS fingerprints/JA3, unusual timing/size patterns.

Tradecraft mindset: Assume an investigator can obtain endpoint images, collect central logs, and correlate with external telemetry. Your goal is to reduce signal, blend with noise, and avoid actions that create unique signatures.

Why Residue Decides Outcomes

Residue enables attribution (linking events to actors), timelining (reconstructing dwell time and movement), and toolmark analysis (identifying families of tools and procedures). Unmanaged residue makes incident response faster and more precise.

Real-World Context & Evidence

In the APT1 report (2013), investigators connected years of operations via consistent IOCs—hash reuse, infrastructure overlap, and login patterns. Likewise, the US DoJ’s case on the Yahoo breach leveraged logs revealing abnormal admin access events. Small artifacts across many actions told a coherent story.

Minimize, Disguise, and Clean

Prefer fileless tradecraft: LOLBins/LOLBAS, in-memory execution, transient shells. Reduce writes.
Plan exit before entry: pre-stage cleanup scripts; know log locations and rotation cadence.
Blend timestamps: adjust MAC times to fit baseline; avoid “brand-new at 03:12” anomalies.
Redirect vs. delete: replacing with plausible noise can be less suspicious than gaps.
Contain credentials: avoid storing secrets in cleartext files or shell history; use ephemeral tokens.
Control tooling sprawl: fewer custom binaries → smaller signature surface.

Walkthrough: Identify & Clean (Lab)

Execute a known tool (e.g., nmap -A or a small loader) on a snapshot VM.
Enumerate artifacts: Windows (Event Viewer, Sysmon, prefetch), Linux (journalctl, ~/.bash_history, /var/log), network PCAP/NetFlow.
Design cleanup: remove droppers, rotate/merge logs with plausible events, normalize timestamps.
Validate: re-image or second snapshot; perform triage with forensics utilities—what remains?

Warning: Tampering with logs can itself be an IOC. Favor plausible noise injection and baseline-consistent rotations over blunt deletions.

Exercise

On a lab VM, run a benign tool that still creates artifacts (e.g., nmap or powershell Get-Process with logging enabled).
Catalog IOCs (files, logs, registries, timelines). Produce a 10-line IOC table.
Implement a cleanup and disguise plan; repeat triage to measure residue reduction.

Deliverable: IOC table + cleanup notes + before/after triage summary.

Key Takeaways

Residue is inevitable; unmanaged residue enables rapid attribution.
Plan exits early: pre-staged cleanup beats improvisation.
Deleting isn’t enough—disguise, blend, and minimize creation in the first place.
OPSEC is measured by what you don’t leave behind.