mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
126 lines
3.8 KiB
Markdown
126 lines
3.8 KiB
Markdown
# Malware Eradication - Detailed Workflow
|
|
|
|
## Pre-Eradication Checklist
|
|
- [ ] Forensic images collected from all compromised systems
|
|
- [ ] All IOCs identified and documented
|
|
- [ ] All persistence mechanisms mapped
|
|
- [ ] Root cause (initial access vector) identified
|
|
- [ ] Containment verified and holding
|
|
- [ ] Eradication plan approved by Incident Commander
|
|
- [ ] Rollback plan prepared in case eradication fails
|
|
|
|
## Eradication Phases
|
|
|
|
### Phase 1: Artifact Inventory
|
|
1. Compile list of all malware files with paths and hashes
|
|
2. Map all persistence mechanisms per system
|
|
3. List all compromised accounts (user, service, admin)
|
|
4. Identify all backdoor access methods
|
|
5. Document network-level indicators (C2 IPs, domains)
|
|
6. Note any configuration changes made by attacker
|
|
|
|
### Phase 2: Coordinated Removal
|
|
Execute removal across ALL compromised systems simultaneously to prevent attacker from detecting cleanup on one system and acting on another.
|
|
|
|
**Simultaneous Actions:**
|
|
1. Remove malware files from all systems
|
|
2. Delete persistence mechanisms (registry, tasks, services, WMI)
|
|
3. Disable compromised accounts
|
|
4. Block all C2 infrastructure at network level
|
|
5. Remove unauthorized SSH keys and certificates
|
|
6. Clean up web shells from all web servers
|
|
|
|
### Phase 3: Credential Reset
|
|
**Priority Order:**
|
|
1. KRBTGT password (reset twice, 12+ hours apart)
|
|
2. Domain admin accounts
|
|
3. Service accounts
|
|
4. All accounts that logged into compromised systems
|
|
5. Application credentials and API keys
|
|
6. Machine account passwords (if targeted)
|
|
|
|
### Phase 4: Vulnerability Remediation
|
|
1. Patch the vulnerability used for initial access
|
|
2. Patch any additional vulnerabilities discovered during investigation
|
|
3. Harden configurations that were exploited
|
|
4. Update security tool signatures and rules
|
|
5. Close unnecessary ports and services
|
|
|
|
### Phase 5: Validation
|
|
1. Full AV/EDR scan on all previously compromised systems
|
|
2. YARA scan for specific malware family artifacts
|
|
3. Check all persistence locations are clean
|
|
4. Verify no unauthorized processes running
|
|
5. Confirm no unauthorized network connections
|
|
6. Validate all credentials were successfully rotated
|
|
7. Test that patches are properly applied
|
|
|
|
## Decision: Clean vs. Re-Image
|
|
|
|
### When to Clean (In-Place Remediation)
|
|
- Limited number of artifacts
|
|
- Well-understood malware family
|
|
- No rootkit or bootkit components
|
|
- Time pressure requires faster recovery
|
|
- System configuration is complex to rebuild
|
|
|
|
### When to Re-Image (Full Rebuild)
|
|
- Rootkit or bootkit detected
|
|
- Kernel-level compromise
|
|
- Domain controller compromise
|
|
- Inability to confirm complete eradication
|
|
- Simpler to rebuild than to clean
|
|
- Legal requirements demand clean systems
|
|
|
|
## Common Persistence Locations Reference
|
|
|
|
### Windows
|
|
```
|
|
Registry:
|
|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
|
|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
|
|
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (Shell, Userinit)
|
|
HKLM\SYSTEM\CurrentControlSet\Services
|
|
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
|
|
|
|
Filesystem:
|
|
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup
|
|
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
|
|
C:\Windows\System32\Tasks\
|
|
C:\Windows\System32\drivers\
|
|
|
|
WMI:
|
|
root\Subscription\__EventFilter
|
|
root\Subscription\CommandLineEventConsumer
|
|
root\Subscription\__FilterToConsumerBinding
|
|
```
|
|
|
|
### Linux
|
|
```
|
|
Cron:
|
|
/etc/crontab
|
|
/etc/cron.d/*
|
|
/etc/cron.daily/*
|
|
/var/spool/cron/crontabs/*
|
|
|
|
Services:
|
|
/etc/systemd/system/*.service
|
|
/etc/init.d/*
|
|
/etc/rc.local
|
|
|
|
Shell:
|
|
~/.bashrc, ~/.profile, ~/.bash_profile
|
|
/etc/profile.d/*
|
|
/etc/environment
|
|
|
|
SSH:
|
|
~/.ssh/authorized_keys
|
|
/etc/ssh/sshd_config
|
|
|
|
Other:
|
|
/etc/ld.so.preload
|
|
Kernel modules: /lib/modules/
|
|
```
|