Analysis of a PowerShell script designed to hide traces of RMM tools (Atera and Splashtop) on Windows systems. The script modifies registry keys to hide software from the Apps & features interface, removes installation folders from Start Menu and ProgramData directories, and renames firewall rules to disguise their origin. Testing reveals the cleanup attempts are superficial and easily detectable through forensic analysis, as the script only masks visual indicators without thoroughly removing artifacts.
Table of contents
IntroductionFind installed softwareRemoving foldersRemove traces in the Firewall RulesTestingConclusionSort: