Back to Details

eradicating-malware-from-infected-systems

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Eradicating Malware from Infected Systems

从受感染系统中根除恶意软件

When to Use

使用场景

  • Malware infection confirmed and containment is in place
  • Forensic investigation has identified all persistence mechanisms
  • All compromised systems have been identified and scoped
  • Ready to remove attacker artifacts and restore clean state
  • Post-containment phase requires systematic cleanup
  • 已确认恶意软件感染且已完成隔离
  • 取证调查已识别所有持久化机制
  • 已识别并划定所有受攻陷系统的范围
  • 已准备好移除攻击者遗留痕迹并恢复干净状态
  • 隔离后阶段需要系统性清理

Prerequisites

前提条件

  • Completed forensic analysis identifying all malware artifacts
  • List of all compromised systems and accounts
  • EDR/AV with updated signatures deployed
  • YARA rules for the specific malware family
  • Clean system images or verified backups for restoration
  • Network isolation still in effect during eradication
  • 已完成取证分析,识别出所有恶意软件遗留痕迹
  • 所有受攻陷系统和账户的列表
  • 已部署带有更新特征库的EDR/AV
  • 针对特定恶意软件家族的YARA规则
  • 用于恢复的干净系统镜像或经过验证的备份
  • 根除期间仍保持网络隔离

Workflow

工作流程

Step 1: Map All Persistence Mechanisms

步骤1:映射所有持久化机制

bash
undefined
bash
undefined

Windows - Check all known persistence locations

Windows - 检查所有已知的持久化位置

Autoruns (Sysinternals) - comprehensive autostart enumeration

Autoruns (Sysinternals) - 全面枚举自启动项

autorunsc.exe -accepteula -a * -c -h -s -v > autoruns_report.csv
autorunsc.exe -accepteula -a * -c -h -s -v > autoruns_report.csv

Registry Run keys

注册表Run项

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /s reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /s reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /s

Scheduled tasks

计划任务

schtasks /query /fo CSV /v > schtasks_all.csv
schtasks /query /fo CSV /v > schtasks_all.csv

WMI event subscriptions

WMI事件订阅

Get-WMIObject -Namespace root\Subscription -Class __EventFilter Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
Get-WMIObject -Namespace root\Subscription -Class __EventFilter Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

Services

服务

Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object Name, DisplayName, BinaryPathName
Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object Name, DisplayName, BinaryPathName

Linux persistence

Linux持久化检查

cat /etc/crontab ls -la /etc/cron.*/ ls -la /etc/init.d/ systemctl list-unit-files --type=service | grep enabled cat /etc/rc.local ls -la ~/.bashrc ~/.profile ~/.bash_profile
undefined
cat /etc/crontab ls -la /etc/cron.*/ ls -la /etc/init.d/ systemctl list-unit-files --type=service | grep enabled cat /etc/rc.local ls -la ~/.bashrc ~/.profile ~/.bash_profile
undefined

Step 2: Identify All Malware Artifacts

步骤2:识别所有恶意软件遗留痕迹

bash
undefined
bash
undefined

Scan with YARA rules specific to the malware family

使用针对特定恶意软件家族的YARA规则扫描

yara -r -s malware_rules/specific_family.yar C:\ 2>/dev/null
yara -r -s malware_rules/specific_family.yar C:\ 2>/dev/null

Scan with multiple AV engines

使用多款反病毒引擎扫描

ClamAV scan

ClamAV扫描

clamscan -r --infected --remove=no /mnt/infected_disk/
clamscan -r --infected --remove=no /mnt/infected_disk/

Check for known malicious file hashes

检查已知恶意文件哈希

find / -type f -newer /tmp/baseline_timestamp -exec sha256sum {} ; 2>/dev/null |
while read hash file; do grep -q "$hash" known_malicious_hashes.txt && echo "MALICIOUS: $file ($hash)" done
find / -type f -newer /tmp/baseline_timestamp -exec sha256sum {} ; 2>/dev/null |
while read hash file; do grep -q "$hash" known_malicious_hashes.txt && echo "MALICIOUS: $file ($hash)" done

Check for web shells

检查Web Shell

find /var/www/ -name "*.php" -newer /tmp/baseline -exec grep -l "eval|base64_decode|system|passthru|shell_exec" {} ;
find /var/www/ -name "*.php" -newer /tmp/baseline -exec grep -l "eval\|base64_decode\|system\|passthru\|shell_exec" {} ;

Check for unauthorized SSH keys

检查未授权SSH密钥

find / -name "authorized_keys" -exec cat {} ; 2>/dev/null
undefined
find / -name "authorized_keys" -exec cat {} ; 2>/dev/null
undefined

Step 3: Remove Malware Files and Artifacts

步骤3:移除恶意软件文件与遗留痕迹

bash
undefined
bash
undefined

Remove identified malicious files (after forensic imaging)

移除已识别的恶意文件(取证镜像完成后)

Windows

Windows系统

Remove-Item -Path "C:\Windows\Temp\malware.exe" -Force Remove-Item -Path "C:\Users\Public\backdoor.dll" -Force
Remove-Item -Path "C:\Windows\Temp\malware.exe" -Force Remove-Item -Path "C:\Users\Public\backdoor.dll" -Force

Remove malicious scheduled tasks

移除恶意计划任务

schtasks /delete /tn "MaliciousTaskName" /f
schtasks /delete /tn "MaliciousTaskName" /f

Remove WMI persistence

移除WMI持久化项

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='MalFilter'" | Remove-WMIObject Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='MalConsumer'" | Remove-WMIObject
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='MalFilter'" | Remove-WMIObject Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='MalConsumer'" | Remove-WMIObject

Remove malicious registry entries

移除恶意注册表项

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MalEntry" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MalEntry" /f

Remove malicious services

移除恶意服务

sc stop "MalService" && sc delete "MalService"
sc stop "MalService" && sc delete "MalService"

Linux - Remove malicious cron entries, binaries, SSH keys

Linux系统 - 移除恶意 cron 项、二进制文件、SSH密钥

crontab -r # Remove entire crontab (or edit specific entries) rm -f /tmp/.hidden_backdoor sed -i '/malicious_key/d' ~/.ssh/authorized_keys systemctl disable malicious-service && rm /etc/systemd/system/malicious-service.service
undefined
crontab -r # 移除整个crontab(或编辑特定项) rm -f /tmp/.hidden_backdoor sed -i '/malicious_key/d' ~/.ssh/authorized_keys systemctl disable malicious-service && rm /etc/systemd/system/malicious-service.service
undefined

Step 4: Reset Compromised Credentials

步骤4:重置受攻陷凭据

bash
undefined
bash
undefined

Reset all compromised user passwords

重置所有受攻陷用户的密码

Import-Module ActiveDirectory Get-ADUser -Filter * -SearchBase "OU=CompromisedUsers,DC=domain,DC=com" | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "TempP@ss!$(Get-Random)" -AsPlainText -Force)
Import-Module ActiveDirectory Get-ADUser -Filter * -SearchBase "OU=CompromisedUsers,DC=domain,DC=com" | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "TempP@ss!$(Get-Random)" -AsPlainText -Force)

Reset KRBTGT password (twice, 12+ hours apart for Kerberos golden ticket attack)

重置KRBTGT密码(分两次,间隔12小时以上,应对Kerberos黄金票据攻击)

Reset-KrbtgtPassword -DomainController DC01
Reset-KrbtgtPassword -DomainController DC01

Wait 12+ hours, then reset again

等待12小时以上后再次重置

Reset-KrbtgtPassword -DomainController DC01
Reset-KrbtgtPassword -DomainController DC01

Rotate service account passwords

轮换服务账户密码

Get-ADServiceAccount -Filter * | ForEach-Object { Reset-ADServiceAccountPassword -Identity $_.Name }
Get-ADServiceAccount -Filter * | ForEach-Object { Reset-ADServiceAccountPassword -Identity $_.Name }

Revoke all Azure AD tokens

吊销所有Azure AD令牌

Get-AzureADUser -All $true | ForEach-Object { Revoke-AzureADUserAllRefreshToken -ObjectId $_.ObjectId }
Get-AzureADUser -All $true | ForEach-Object { Revoke-AzureADUserAllRefreshToken -ObjectId $_.ObjectId }

Rotate API keys and secrets

轮换API密钥和密钥

Application-specific credential rotation

针对特定应用的凭据轮换

undefined
undefined

Step 5: Patch Vulnerability Used for Initial Access

步骤5:修补初始访问所利用的漏洞

bash
undefined
bash
undefined

Identify and patch the entry point vulnerability

识别并修补入口点漏洞

Windows Update

Windows更新

Install-WindowsUpdate -KBArticleID "KB5001234" -AcceptAll -AutoReboot
Install-WindowsUpdate -KBArticleID "KB5001234" -AcceptAll -AutoReboot

Linux patching

Linux系统修补

apt update && apt upgrade -y # Debian/Ubuntu yum update -y # RHEL/CentOS
apt update && apt upgrade -y # Debian/Ubuntu系统 yum update -y # RHEL/CentOS系统

Application-specific patches

针对特定应用的修补

Update web application frameworks, CMS, etc.

更新Web应用框架、CMS等

Verify patch was applied

验证修补是否成功

Get-HotFix -Id "KB5001234"
undefined
Get-HotFix -Id "KB5001234"
undefined

Step 6: Validate Eradication

步骤6:验证根除效果

bash
undefined
bash
undefined

Full system scan with updated signatures

使用更新后的特征库进行全系统扫描

CrowdStrike Falcon - On-demand scan

CrowdStrike Falcon - 按需扫描

curl -X POST "https://api.crowdstrike.com/scanner/entities/scans/v1"
-H "Authorization: Bearer $FALCON_TOKEN"
-H "Content-Type: application/json"
-d '{"ids": ["device_id"]}'
curl -X POST "https://api.crowdstrike.com/scanner/entities/scans/v1"
-H "Authorization: Bearer $FALCON_TOKEN"
-H "Content-Type: application/json"
-d '{"ids": ["device_id"]}'

Verify no persistence mechanisms remain

验证是否仍存在持久化机制

autorunsc.exe -accepteula -a * -c -h -s -v | findstr /i "unknown verified"
autorunsc.exe -accepteula -a * -c -h -s -v | findstr /i "unknown verified"

Check for any remaining suspicious processes

检查是否存在可疑进程

Get-Process | Where-Object {$.Path -notlike "C:\Windows*" -and $.Path -notlike "C:\Program Files*"}
Get-Process | Where-Object {$.Path -notlike "C:\Windows\*" -and $.Path -notlike "C:\Program Files*"}

Verify no unauthorized network connections

验证是否存在未授权网络连接

Get-NetTCPConnection -State Established | Where-Object {$.RemoteAddress -notlike "10.*" -and $.RemoteAddress -notlike "172.16.*"} | Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess
Get-NetTCPConnection -State Established | Where-Object {$.RemoteAddress -notlike "10.*" -and $.RemoteAddress -notlike "172.16.*"} | Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess

Run YARA rules again to confirm no artifacts remain

再次运行YARA规则确认无遗留痕迹

yara -r malware_rules/specific_family.yar C:\ 2>/dev/null
undefined
yara -r malware_rules/specific_family.yar C:\ 2>/dev/null
undefined

Key Concepts

关键概念

ConceptDescription
Persistence MechanismMethod attacker uses to maintain access across reboots
Root Cause RemediationFixing the vulnerability that enabled initial compromise
Credential RotationResetting all potentially compromised passwords and tokens
KRBTGT ResetInvalidating Kerberos tickets after golden ticket attack
Indicator SweepScanning all systems for known malicious artifacts
Validation ScanConfirming eradication was successful before recovery
Re-imagingRebuilding systems from clean images rather than cleaning
概念描述
持久化机制攻击者用于在系统重启后仍保持访问权限的方法
根本原因修复修复导致初始攻陷的漏洞
凭据轮换重置所有可能已被攻陷的密码和令牌
KRBTGT重置在黄金票据攻击后使Kerberos票据失效
指示器扫描扫描所有系统以查找已知恶意痕迹
验证扫描在恢复前确认根除是否成功
重新镜像从干净镜像重建系统而非进行清理

Tools & Systems

工具与系统

ToolPurpose
Sysinternals AutorunsEnumerate all Windows autostart locations
YARACustom rule-based malware scanning
CrowdStrike/SentinelOneEDR-based scanning and remediation
ClamAVOpen-source antivirus scanning
PowerShellScripted cleanup and validation
VelociraptorRemote artifact collection and remediation
工具用途
Sysinternals Autoruns枚举所有Windows自启动位置
YARA基于自定义规则的恶意软件扫描
CrowdStrike/SentinelOne基于EDR的扫描与修复
ClamAV开源防病毒扫描
PowerShell脚本化清理与验证
Velociraptor远程痕迹收集与修复

Common Scenarios

常见场景

  1. RAT with Multiple Persistence: Remote access trojan using registry, scheduled task, and WMI subscription. Must remove all three persistence mechanisms.
  2. Web Shell on IIS/Apache: PHP/ASPX web shell in web root. Remove shell, audit all web files, patch application vulnerability.
  3. Rootkit Infection: Kernel-level rootkit that survives cleanup. Requires full re-image from known-good media.
  4. Fileless Malware: PowerShell-based attack living in memory and registry. Remove registry entries, clear WMI subscriptions, restart system.
  5. Active Directory Compromise: Attacker created backdoor accounts and golden tickets. Reset KRBTGT, remove rogue accounts, audit group memberships.
  1. 带有多种持久化方式的RAT:使用注册表、计划任务和WMI订阅的远程访问木马。必须移除所有三种持久化机制。
  2. IIS/Apache上的Web Shell:Web根目录中的PHP/ASPX Web Shell。移除Shell,审计所有Web文件,修补应用漏洞。
  3. Rootkit感染:可在清理后存活的内核级Rootkit。需要从已知可信介质进行完全重新镜像。
  4. 无文件恶意软件:基于PowerShell的攻击,驻留在内存和注册表中。移除注册表项,清除WMI订阅,重启系统。
  5. Active Directory攻陷:攻击者创建了恶意账户和黄金票据。重置KRBTGT,移除恶意账户,审计组成员身份。

Output Format

输出格式

  • Eradication action log with all removed artifacts
  • Credential rotation confirmation report
  • Vulnerability patching verification
  • Post-eradication validation scan results
  • Systems cleared for recovery phase
  • 包含所有已移除痕迹的根除操作日志
  • 凭据轮换确认报告
  • 漏洞修补验证报告
  • 根除后验证扫描结果
  • 已确认可进入恢复阶段的系统