| name | eradicating-malware-from-infected-systems |
| description | Systematically remove malware, backdoors, and attacker persistence mechanisms from infected systems while ensuring complete eradication and preventing re-infection. |
| domain | cybersecurity |
| subdomain | incident-response |
| tags | - incident-response - eradication - malware-removal - persistence - dfir |
| mitre_attack | - T1547 - T1053 - T1543 - T1574 |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - RS.MA-01 - RS.MA-02 - RS.AN-03 - RC.RP-01 |
Eradicating Malware from Infected Systems
When to Use
- Malware infection confirmed and containment is in place
- Forensic investigation has identified all persistence mechanisms
- All compromised systems have been identified and scoped
- Ready to remove attacker artifacts and restore clean state
- Post-containment phase requires systematic cleanup
Prerequisites
- Completed forensic analysis identifying all malware artifacts
- List of all compromised systems and accounts
- EDR/AV with updated signatures deployed
- YARA rules for the specific malware family
- Clean system images or verified backups for restoration
- Network isolation still in effect during eradication
Workflow
Step 1: Map All Persistence Mechanisms
autorunsc.exe -accepteula -a * -c -h -s -v > autoruns_report.csv
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /s
schtasks /query /fo CSV /v > schtasks_all.csv
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object Name, DisplayName, BinaryPathName
cat /etc/crontab
ls -la /etc/cron.*/
ls -la /etc/init.d/
systemctl list-unit-files --type=service | grep enabled
cat /etc/rc.local
ls -la ~/.bashrc ~/.profile ~/.bash_profile
Step 2: Identify All Malware Artifacts
yara -r -s malware_rules/specific_family.yar C:\ 2>/dev/null
clamscan -r --infected --remove=no /mnt/infected_disk/
find / -type f -newer /tmp/baseline_timestamp -exec sha256sum {} \; 2>/dev/null | \
while read hash file; do
grep -q "$hash" known_malicious_hashes.txt && echo "MALICIOUS: $file ($hash)"
done
find /var/www/ -name "*.php" -newer /tmp/baseline -exec grep -l "eval\|base64_decode\|system\|passthru\|shell_exec" {} \;
find / -name "authorized_keys" -exec cat {} \; 2>/dev/null
Step 3: Remove Malware Files and Artifacts
Remove-Item -Path "C:\Windows\Temp\malware.exe" -Force
Remove-Item -Path "C:\Users\Public\backdoor.dll" -Force
schtasks /delete /tn "MaliciousTaskName" /f
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='MalFilter'" | Remove-WMIObject
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='MalConsumer'" | Remove-WMIObject
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MalEntry" /f
sc stop "MalService" && sc delete "MalService"
crontab -r
rm -f /tmp/.hidden_backdoor
sed -i '/malicious_key/d' ~/.ssh/authorized_keys
systemctl disable malicious-service && rm /etc/systemd/system/malicious-service.service
Step 4: Reset Compromised Credentials
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=CompromisedUsers,DC=domain,DC=com" |
Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "TempP@ss!$(Get-Random)" -AsPlainText -Force)
Reset-KrbtgtPassword -DomainController DC01
Reset-KrbtgtPassword -DomainController DC01
Get-ADServiceAccount -Filter * | ForEach-Object {
Reset-ADServiceAccountPassword -Identity $_.Name
}
Get-AzureADUser -All $true | ForEach-Object {
Revoke-AzureADUserAllRefreshToken -ObjectId $_.ObjectId
}
Step 5: Patch Vulnerability Used for Initial Access
Install-WindowsUpdate -KBArticleID "KB5001234" -AcceptAll -AutoReboot
apt update && apt upgrade -y
yum update -y
Get-HotFix -Id "KB5001234"
Step 6: Validate Eradication
curl -X POST "https://api.crowdstrike.com/scanner/entities/scans/v1" \
-H "Authorization: Bearer $FALCON_TOKEN" \
-H "Content-Type: application/json" \
-d '{"ids": ["device_id"]}'
autorunsc.exe -accepteula -a * -c -h -s -v | findstr /i "unknown verified"
Get-Process | Where-Object {$_.Path -notlike "C:\Windows\*" -and $_.Path -notlike "C:\Program Files*"}
Get-NetTCPConnection -State Established |
Where-Object {$_.RemoteAddress -notlike "10.*" -and $_.RemoteAddress -notlike "172.16.*"} |
Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess
yara -r malware_rules/specific_family.yar C:\ 2>/dev/null
Key Concepts
| Concept | Description |
|---|
| Persistence Mechanism | Method attacker uses to maintain access across reboots |
| Root Cause Remediation | Fixing the vulnerability that enabled initial compromise |
| Credential Rotation | Resetting all potentially compromised passwords and tokens |
| KRBTGT Reset | Invalidating Kerberos tickets after golden ticket attack |
| Indicator Sweep | Scanning all systems for known malicious artifacts |
| Validation Scan | Confirming eradication was successful before recovery |
| Re-imaging | Rebuilding systems from clean images rather than cleaning |
Tools & Systems
| Tool | Purpose |
|---|
| Sysinternals Autoruns | Enumerate all Windows autostart locations |
| YARA | Custom rule-based malware scanning |
| CrowdStrike/SentinelOne | EDR-based scanning and remediation |
| ClamAV | Open-source antivirus scanning |
| PowerShell | Scripted cleanup and validation |
| Velociraptor | Remote artifact collection and remediation |
Common Scenarios
- RAT with Multiple Persistence: Remote access trojan using registry, scheduled task, and WMI subscription. Must remove all three persistence mechanisms.
- Web Shell on IIS/Apache: PHP/ASPX web shell in web root. Remove shell, audit all web files, patch application vulnerability.
- Rootkit Infection: Kernel-level rootkit that survives cleanup. Requires full re-image from known-good media.
- Fileless Malware: PowerShell-based attack living in memory and registry. Remove registry entries, clear WMI subscriptions, restart system.
- Active Directory Compromise: Attacker created backdoor accounts and golden tickets. Reset KRBTGT, remove rogue accounts, audit group memberships.
Output Format
- Eradication action log with all removed artifacts
- Credential rotation confirmation report
- Vulnerability patching verification
- Post-eradication validation scan results
- Systems cleared for recovery phase
