seikaikyo/eradicating-malware-from-infected-systems

Eradicating Malware from Infected Systems

When to Use

• Malware infection confirmed and containment is in place
• Forensic investigation has identified all persistence mechanisms
• All compromised systems have been identified and scoped
• Ready to remove attacker artifacts and restore clean state
• Post-containment phase requires systematic cleanup

Prerequisites

• Completed forensic analysis identifying all malware artifacts
• List of all compromised systems and accounts
• EDR/AV with updated signatures deployed
• YARA rules for the specific malware family
• Clean system images or verified backups for restoration
• Network isolation still in effect during eradication

Workflow

Step 1: Map All Persistence Mechanisms

# Windows - Check all known persistence locations
# Autoruns (Sysinternals) - comprehensive autostart enumeration
autorunsc.exe -accepteula -a * -c -h -s -v > autoruns_report.csv

# Registry Run keys
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /s

# Scheduled tasks
schtasks /query /fo CSV /v > schtasks_all.csv

# WMI event subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

# Services
Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object Name, DisplayName, BinaryPathName

# Linux persistence
cat /etc/crontab
ls -la /etc/cron.*/
ls -la /etc/init.d/
systemctl list-unit-files --type=service | grep enabled
cat /etc/rc.local
ls -la ~/.bashrc ~/.profile ~/.bash_profile

Step 2: Identify All Malware Artifacts

# Scan with YARA rules specific to the malware family
yara -r -s malware_rules/specific_family.yar C:\ 2>/dev/null

# Scan with multiple AV engines
# ClamAV scan
clamscan -r --infected --remove=no /mnt/infected_disk/

# Check for known malicious file hashes
find / -type f -newer /tmp/baseline_timestamp -exec sha256sum {} \; 2>/dev/null | \
  while read hash file; do
    grep -q "$hash" known_malicious_hashes.txt && echo "MALICIOUS: $file ($hash)"
  done

# Check for web shells
find /var/www/ -name "*.php" -newer /tmp/baseline -exec grep -l "eval\|base64_decode\|system\|passthru\|shell_exec" {} \;

# Check for unauthorized SSH keys
find / -name "authorized_keys" -exec cat {} \; 2>/dev/null

Step 3: Remove Malware Files and Artifacts

# Remove identified malicious files (after forensic imaging)
# Windows
Remove-Item -Path "C:\Windows\Temp\malware.exe" -Force
Remove-Item -Path "C:\Users\Public\backdoor.dll" -Force

# Remove malicious scheduled tasks
schtasks /delete /tn "MaliciousTaskName" /f

# Remove WMI persistence
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='MalFilter'" | Remove-WMIObject
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='MalConsumer'" | Remove-WMIObject

# Remove malicious registry entries
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MalEntry" /f

# Remove malicious services
sc stop "MalService" && sc delete "MalService"

# Linux - Remove malicious cron entries, binaries, SSH keys
crontab -r  # Remove entire crontab (or edit specific entries)
rm -f /tmp/.hidden_backdoor
sed -i '/malicious_key/d' ~/.ssh/authorized_keys
systemctl disable malicious-service && rm /etc/systemd/system/malicious-service.service

Step 4: Reset Compromised Credentials

# Reset all compromised user passwords
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=CompromisedUsers,DC=domain,DC=com" |
  Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "TempP@ss!$(Get-Random)" -AsPlainText -Force)

# Reset KRBTGT password (twice, 12+ hours apart for Kerberos golden ticket attack)
Reset-KrbtgtPassword -DomainController DC01
# Wait 12+ hours, then reset again
Reset-KrbtgtPassword -DomainController DC01

# Rotate service account passwords
Get-ADServiceAccount -Filter * | ForEach-Object {
  Reset-ADServiceAccountPassword -Identity $_.Name
}

# Revoke all Azure AD tokens
Get-AzureADUser -All $true | ForEach-Object {
  Revoke-AzureADUserAllRefreshToken -ObjectId $_.ObjectId
}

# Rotate API keys and secrets
# Application-specific credential rotation

Step 5: Patch Vulnerability Used for Initial Access

# Identify and patch the entry point vulnerability
# Windows Update
Install-WindowsUpdate -KBArticleID "KB5001234" -AcceptAll -AutoReboot

# Linux patching
apt update && apt upgrade -y  # Debian/Ubuntu
yum update -y                 # RHEL/CentOS

# Application-specific patches
# Update web application frameworks, CMS, etc.

# Verify patch was applied
Get-HotFix -Id "KB5001234"

Step 6: Validate Eradication

# Full system scan with updated signatures
# CrowdStrike Falcon - On-demand scan
curl -X POST "https://api.crowdstrike.com/scanner/entities/scans/v1" \
  -H "Authorization: Bearer $FALCON_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"ids": ["device_id"]}'

# Verify no persistence mechanisms remain
autorunsc.exe -accepteula -a * -c -h -s -v | findstr /i "unknown verified"

# Check for any remaining suspicious processes
Get-Process | Where-Object {$_.Path -notlike "C:\Windows\*" -and $_.Path -notlike "C:\Program Files*"}

# Verify no unauthorized network connections
Get-NetTCPConnection -State Established |
  Where-Object {$_.RemoteAddress -notlike "10.*" -and $_.RemoteAddress -notlike "172.16.*"} |
  Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess

# Run YARA rules again to confirm no artifacts remain
yara -r malware_rules/specific_family.yar C:\ 2>/dev/null

Key Concepts

| Concept | Description | |---------|-------------| | Persistence Mechanism | Method attacker uses to maintain access across reboots | | Root Cause Remediation | Fixing the vulnerability that enabled initial compromise | | Credential Rotation | Resetting all potentially compromised passwords and tokens | | KRBTGT Reset | Invalidating Kerberos tickets after golden ticket attack | | Indicator Sweep | Scanning all systems for known malicious artifacts | | Validation Scan | Confirming eradication was successful before recovery | | Re-imaging | Rebuilding systems from clean images rather than cleaning |

Tools & Systems

| Tool | Purpose | |------|---------| | Sysinternals Autoruns | Enumerate all Windows autostart locations | | YARA | Custom rule-based malware scanning | | CrowdStrike/SentinelOne | EDR-based scanning and remediation | | ClamAV | Open-source antivirus scanning | | PowerShell | Scripted cleanup and validation | | Velociraptor | Remote artifact collection and remediation |

Common Scenarios

1. RAT with Multiple Persistence: Remote access trojan using registry, scheduled task, and WMI subscription. Must remove all three persistence mechanisms.
2. Web Shell on IIS/Apache: PHP/ASPX web shell in web root. Remove shell, audit all web files, patch application vulnerability.
3. Rootkit Infection: Kernel-level rootkit that survives cleanup. Requires full re-image from known-good media.
4. Fileless Malware: PowerShell-based attack living in memory and registry. Remove registry entries, clear WMI subscriptions, restart system.
5. Active Directory Compromise: Attacker created backdoor accounts and golden tickets. Reset KRBTGT, remove rogue accounts, audit group memberships.

Output Format

• Eradication action log with all removed artifacts
• Credential rotation confirmation report
• Vulnerability patching verification
• Post-eradication validation scan results
• Systems cleared for recovery phase