Eradicating Malware from Infected Systems
When to Use
- Malware infection confirmed and containment is in place
- Forensic investigation has identified all persistence mechanisms
- All compromised systems have been identified and scoped
- Ready to remove attacker artifacts and restore clean state
- Post-containment phase requires systematic cleanup
Prerequisites
- Completed forensic analysis identifying all malware artifacts
- List of all compromised systems and accounts
- EDR/AV with updated signatures deployed
- YARA rules for the specific malware family
- Clean system images or verified backups for restoration
- Network isolation still in effect during eradication
Workflow
Step 1: Map All Persistence Mechanisms
# Windows - Check all known persistence locations
# Autoruns (Sysinternals) - comprehensive autostart enumeration
autorunsc.exe -accepteula -a * -c -h -s -v > autoruns_report.csv
# Registry Run keys
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /s
# Scheduled tasks
schtasks /query /fo CSV /v > schtasks_all.csv
# WMI event subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
# Services
Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object Name, DisplayName, BinaryPathName
# Linux persistence
cat /etc/crontab
ls -la /etc/cron.*/
ls -la /etc/init.d/
systemctl list-unit-files --type=service | grep enabled
cat /etc/rc.local
ls -la ~/.bashrc ~/.profile ~/.bash_profile
Step 2: Identify All Malware Artifacts
# Scan with YARA rules specific to the malware family
yara -r -s malware_rules/specific_family.yar C:\ 2>/dev/null
# Scan with multiple AV engines
# ClamAV scan
clamscan -r --infected --remove=no /mnt/infected_disk/
# Check for known malicious file hashes
find / -type f -newer /tmp/baseline_timestamp -exec sha256sum {} \; 2>/dev/null | \
while read hash file; do
grep -q "$hash" known_malicious_hashes.txt && echo "MALICIOUS: $file ($hash)"
done
# Check for web shells
find /var/www/ -name "*.php" -newer /tmp/baseline -exec grep -l "eval\|base64_decode\|system\|passthru\|shell_exec" {} \;
# Check for unauthorized SSH keys
find / -name "authorized_keys" -exec cat {} \; 2>/dev/null
Step 3: Remove Malware Files and Artifacts
# Remove identified malicious files (after forensic imaging)
# Windows
Remove-Item -Path "C:\Windows\Temp\malware.exe" -Force
Remove-Item -Path "C:\Users\Public\backdoor.dll" -Force
# Remove malicious scheduled tasks
schtasks /delete /tn "MaliciousTaskName" /f
# Remove WMI persistence
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='MalFilter'" | Remove-WMIObject
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='MalConsumer'" | Remove-WMIObject
# Remove malicious registry entries
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MalEntry" /f
# Remove malicious services
sc stop "MalService" && sc delete "MalService"
# Linux - Remove malicious cron entries, binaries, SSH keys
crontab -r # Remove entire crontab (or edit specific entries)
rm -f /tmp/.hidden_backdoor
sed -i '/malicious_key/d' ~/.ssh/authorized_keys
systemctl disable malicious-service && rm /etc/systemd/system/malicious-service.service
Step 4: Reset Compromised Credentials
# Reset all compromised user passwords
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=CompromisedUsers,DC=domain,DC=com" |
Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "TempP@ss!$(Get-Random)" -AsPlainText -Force)
# Reset KRBTGT password (twice, 12+ hours apart for Kerberos golden ticket attack)
Reset-KrbtgtPassword -DomainController DC01
# Wait 12+ hours, then reset again
Reset-KrbtgtPassword -DomainController DC01
# Rotate service account passwords
Get-ADServiceAccount -Filter * | ForEach-Object {
Reset-ADServiceAccountPassword -Identity $_.Name
}
# Revoke all Azure AD tokens
Get-AzureADUser -All $true | ForEach-Object {
Revoke-AzureADUserAllRefreshToken -ObjectId $_.ObjectId
}
# Rotate API keys and secrets
# Application-specific credential rotation
Step 5: Patch Vulnerability Used for Initial Access
# Identify and patch the entry point vulnerability
# Windows Update
Install-WindowsUpdate -KBArticleID "KB5001234" -AcceptAll -AutoReboot
# Linux patching
apt update && apt upgrade -y # Debian/Ubuntu
yum update -y # RHEL/CentOS
# Application-specific patches
# Update web application frameworks, CMS, etc.
# Verify patch was applied
Get-HotFix -Id "KB5001234"
Step 6: Validate Eradication
# Full system scan with updated signatures
# CrowdStrike Falcon - On-demand scan
curl -X POST "https://api.crowdstrike.com/scanner/entities/scans/v1" \
-H "Authorization: Bearer $FALCON_TOKEN" \
-H "Content-Type: application/json" \
-d '{"ids": ["device_id"]}'
# Verify no persistence mechanisms remain
autorunsc.exe -accepteula -a * -c -h -s -v | findstr /i "unknown verified"
# Check for any remaining suspicious processes
Get-Process | Where-Object {$_.Path -notlike "C:\Windows\*" -and $_.Path -notlike "C:\Program Files*"}
# Verify no unauthorized network connections
Get-NetTCPConnection -State Established |
Where-Object {$_.RemoteAddress -notlike "10.*" -and $_.RemoteAddress -notlike "172.16.*"} |
Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess
# Run YARA rules again to confirm no artifacts remain
yara -r malware_rules/specific_family.yar C:\ 2>/dev/null
Key Concepts
| Concept | Description | |---------|-------------| | Persistence Mechanism | Method attacker uses to maintain access across reboots | | Root Cause Remediation | Fixing the vulnerability that enabled initial compromise | | Credential Rotation | Resetting all potentially compromised passwords and tokens | | KRBTGT Reset | Invalidating Kerberos tickets after golden ticket attack | | Indicator Sweep | Scanning all systems for known malicious artifacts | | Validation Scan | Confirming eradication was successful before recovery | | Re-imaging | Rebuilding systems from clean images rather than cleaning |
Tools & Systems
| Tool | Purpose | |------|---------| | Sysinternals Autoruns | Enumerate all Windows autostart locations | | YARA | Custom rule-based malware scanning | | CrowdStrike/SentinelOne | EDR-based scanning and remediation | | ClamAV | Open-source antivirus scanning | | PowerShell | Scripted cleanup and validation | | Velociraptor | Remote artifact collection and remediation |
Common Scenarios
- RAT with Multiple Persistence: Remote access trojan using registry, scheduled task, and WMI subscription. Must remove all three persistence mechanisms.
- Web Shell on IIS/Apache: PHP/ASPX web shell in web root. Remove shell, audit all web files, patch application vulnerability.
- Rootkit Infection: Kernel-level rootkit that survives cleanup. Requires full re-image from known-good media.
- Fileless Malware: PowerShell-based attack living in memory and registry. Remove registry entries, clear WMI subscriptions, restart system.
- Active Directory Compromise: Attacker created backdoor accounts and golden tickets. Reset KRBTGT, remove rogue accounts, audit group memberships.
Output Format
- Eradication action log with all removed artifacts
- Credential rotation confirmation report
- Vulnerability patching verification
- Post-eradication validation scan results
- Systems cleared for recovery phase