Remove Malware, Backdoors, and Persistence Mechanisms

Actions

1. 1.Compile a complete list of all identified malicious artifacts: file paths, registry keys, scheduled tasks, services, cron jobs, web shells, and any other persistence mechanisms discovered during analysis.
2. 2.On Windows: remove malicious scheduled tasks (`schtasks /delete /tn "TASK_NAME" /f`), services (`sc delete SERVICE_NAME`), registry Run keys, WMI event subscriptions, and startup folder entries. Use Autoruns to verify: `autorunsc.exe -a * -c -h -s -v -vt > autoruns_post_cleanup.csv`.
3. 3.On Linux: remove malicious cron entries (`crontab -r -u COMPROMISED_USER`), systemd services, modified SSH authorized_keys, LD_PRELOAD entries, and files in /tmp or /dev/shm. Check for rootkits: `chkrootkit` and `rkhunter --check`.
4. 4.Run full antivirus scans with updated signatures on all cleaned systems. Use at least two different AV engines for validation.
5. 5.Verify removal by checking that no malicious processes are running, no beaconing to C2 infrastructure is occurring, and all identified IOCs have been removed.

Queries

DeviceFileEvents | where Timestamp > ago(1h) | where DeviceName == "CLEANED_HOST" | where FolderPath has_any ("\Temp\","\AppData\","\ProgramData\") | where ActionType == "FileCreated" | project Timestamp, FileName, FolderPath, InitiatingProcessFileName // Verify no new malicious files after cleanup

DeviceNetworkEvents | where Timestamp > ago(4h) | where DeviceName == "CLEANED_HOST" | where RemoteUrl in~ (KNOWN_C2_DOMAINS) or RemoteIP in (KNOWN_C2_IPS) | project Timestamp, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName // Verify no C2 beaconing post-cleanup