eradicating-malware-from-infected-systems

# Eradicating Malware from Infected Systems

## When to Use
- Malware infection confirmed and containment is in place
- Forensic investigation has identified all persistence mechanisms
- All compromised systems have been identified and scoped
- Ready to remove attacker artifacts and restore clean state
- Post-containment phase requires systematic cleanup

## Prerequisites
- Completed forensic analysis identifying all malware artifacts
- List of all compromised systems and accounts
- EDR/AV with updated signatures deployed
- YARA rules for the specific malware family
- Clean system images or verified backups for restoration
- Network isolation still in effect during eradication

## Workflow

### Step 1: Map All Persistence Mechanisms
```bash
# Windows - Check all known persistence locations
# Autoruns (Sysinternals) - comprehensive autostart enumeration
autorunsc.exe -accepteula -a * -c -h -s -v > autoruns_report.csv

# Registry Run keys
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /s

# Scheduled tasks
schtasks /query /fo CSV /v > schtasks_all.csv

# WMI event subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

# Services
Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object Name, DisplayName, BinaryPathName

# Linux persistence
cat /etc/crontab
ls -la /etc/cron.*/
ls -la /etc/init.d/
systemctl list-unit-files --type=service | grep enabled
cat /etc/rc.local
ls -la ~/.bashrc ~/.profile ~/.bash_profile
```

### Step 2: Identify All Malware Artifacts
```bash
# Scan with YARA rules specific to the malware family
yara -r -s malware_rules/specific_family.yar C:\ 2>/dev/null

# Scan with multiple AV engines
# ClamAV scan
clamscan -r --infected --remove=no /mnt/infected_disk/

# Check for known malicious file hashes
find / -type f -newer /tmp/baseline_timestamp -exec sha256sum {} \; 2>/dev/null | \
  while read hash file; do
    grep -q "$hash" known_malicious_hashes.txt && echo "MALICIOUS: $file ($hash)"
  done

# Check for web shells
find /var/www/ -name "*.php" -newer /tmp/baseline -exec grep -l "eval\|base64_decode\|system\|passthru\|shell_exec" {} \;

# Check for unauthorized SSH keys
find / -name "authorized_keys" -exec cat {} \; 2>/dev/null
```

### Step 3: Remove Malware Files and Artifacts
```bash
# Remove identified malicious files (after forensic imaging)
# Windows
Remove-Item -Path "C:\Windows\Temp\malware.exe" -Force
Remove-Item -Path "C:\Users\Public\backdoor.dll" -Force

# Remove malicious scheduled tasks
schtasks /delete /tn "MaliciousTaskName" /f

# Remove WMI persistence
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='MalFilter'" | Remove-WMIObject
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='MalConsumer'" | Remove-WMIObject

# Remove malicious registry entries
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MalEntry" /f

# Remove malicious services
sc stop "MalService" && sc delete "MalService"

# Linux - Remove malicious cron entries, binaries, SSH keys
crontab -r  # Remove entire crontab (or edit specific entries)
rm -f /tmp/.hidden_backdoor
sed -i '/malicious_key/d' ~/.ssh/authorized_keys
systemctl disable malicious-service && rm /etc/systemd/system/malicious-service.service
```

### Step 4: Reset Compromised Credentials
```bash
# Reset all compromised user passwords
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=CompromisedUsers,DC=domain,DC=com" |
  Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "TempP@ss!$(Get-Random)" -AsPlainText -Force)

# Reset KRBTGT password (twice, 12+ hours apart for Kerberos golden ticket attack)
Reset-KrbtgtPassword -DomainController DC01
# Wait 12+ hours, then reset again
Reset-KrbtgtPassword -DomainController DC01

# Rotate service account passwords
Get-ADServiceAccount -Filter * | ForEach-Object {
  Reset-ADServiceAccountPassword -Identity $_.Name
}

# Revoke all Azure AD tokens
Get-AzureADUser -All $true | ForEach-Object {
  Revoke-AzureADUserAllRefreshToken -ObjectId $_.ObjectId
}

# Rotate API keys and secrets
# Application-specific credential rotation
```

### Step 5: Patch Vulnerability Used for Initial Access
```bash
# Identify and patch the entry point vulnerability
# Windows Update
Install-WindowsUpdate -KBArticleID "KB5001234" -AcceptAll -AutoReboot

# Linux patching
apt update && apt upgrade -y  # Debian/Ubuntu
yum update -y                 # RHEL/CentOS

# Application-specific patches
# Update web application frameworks, CMS, etc.

# Verify patch was applied
Get-HotFix -Id "KB5001234"
```

### Step 6: Validate Eradication
```bash
# Full system scan with updated signatures
# CrowdStrike Falcon - On-demand scan
curl -X POST "https://api.crowdstrike.com/scanner/entities/scans/v1" \
  -H "Authorization: Bearer $FALCON_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"ids": ["device_id"]}'

# Verify no persistence mechanisms remain
autorunsc.exe -accepteula -a * -c -h -s -v | findstr /i "unknown verified"

# Check for any remaining suspicious processes
Get-Process | Where-Object {$_.Path -notlike "C:\Windows\*" -and $_.Path -notlike "C:\Program Files*"}

# Verify no unauthorized network connections
Get-NetTCPConnection -State Established |
  Where-Object {$_.RemoteAddress -notlike "10.*" -and $_.RemoteAddress -notlike "172.16.*"} |
  Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess

# Run YARA rules again to confirm no artifacts remain
yara -r malware_rules/specific_family.yar C:\ 2>/dev/null
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| Persistence Mechanism | Method attacker uses to maintain access across reboots |
| Root Cause Remediation | Fixing the vulnerability that enabled initial compromise |
| Credential Rotation | Resetting all potentially compromised passwords and tokens |
| KRBTGT Reset | Invalidating Kerberos tickets after golden ticket attack |
| Indicator Sweep | Scanning all systems for known malicious artifacts |
| Validation Scan | Confirming eradication was successful before recovery |
| Re-imaging | Rebuilding systems from clean images rather than cleaning |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| Sysinternals Autoruns | Enumerate all Windows autostart locations |
| YARA | Custom rule-based malware scanning |
| CrowdStrike/SentinelOne | EDR-based scanning and remediation |
| ClamAV | Open-source antivirus scanning |
| PowerShell | Scripted cleanup and validation |
| Velociraptor | Remote artifact collection and remediation |

## Common Scenarios

1. **RAT with Multiple Persistence**: Remote access trojan using registry, scheduled task, and WMI subscription. Must remove all three persistence mechanisms.
2. **Web Shell on IIS/Apache**: PHP/ASPX web shell in web root. Remove shell, audit all web files, patch application vulnerability.
3. **Rootkit Infection**: Kernel-level rootkit that survives cleanup. Requires full re-image from known-good media.
4. **Fileless Malware**: PowerShell-based attack living in memory and registry. Remove registry entries, clear WMI subscriptions, restart system.
5. **Active Directory Compromise**: Attacker created backdoor accounts and golden tickets. Reset KRBTGT, remove rogue accounts, audit group memberships.

## Output Format
- Eradication action log with all removed artifacts
- Credential rotation confirmation report
- Vulnerability patching verification
- Post-eradication validation scan results
- Systems cleared for recovery phase