Systematically maps, identifies, and eradicates malware, backdoors, and persistence mechanisms from infected Windows/Linux systems in incident response.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 已确认恶意软件感染且遏制措施已到位
Eradicates malware, backdoors, and persistence from infected Windows/Linux systems using Autoruns, YARA, ClamAV scans, and persistence checks.
Guides eradication of malware, backdoors, and persistence from infected Windows/Linux systems using Autoruns, YARA, ClamAV scans post-containment.
Investigates malware persistence mechanisms on Windows and Linux systems by enumerating registry keys, services, autoruns, scheduled tasks, and rootkits for incident response, threat hunting, and forensics.
Share bugs, ideas, or general feedback.
# Windows - 检查所有已知的持久化位置
# Autoruns(Sysinternals)- 全面的自启动枚举
autorunsc.exe -accepteula -a * -c -h -s -v > autoruns_report.csv
# 注册表 Run 键
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /s
# 计划任务
schtasks /query /fo CSV /v > schtasks_all.csv
# WMI 事件订阅
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
# 服务
Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object Name, DisplayName, BinaryPathName
# Linux 持久化
cat /etc/crontab
ls -la /etc/cron.*/
ls -la /etc/init.d/
systemctl list-unit-files --type=service | grep enabled
cat /etc/rc.local
ls -la ~/.bashrc ~/.profile ~/.bash_profile
# 使用针对特定恶意软件家族的 YARA 规则扫描
yara -r -s malware_rules/specific_family.yar C:\ 2>/dev/null
# 使用多个 AV 引擎扫描
# ClamAV 扫描
clamscan -r --infected --remove=no /mnt/infected_disk/
# 检查已知恶意文件哈希
find / -type f -newer /tmp/baseline_timestamp -exec sha256sum {} \; 2>/dev/null | \
while read hash file; do
grep -q "$hash" known_malicious_hashes.txt && echo "MALICIOUS: $file ($hash)"
done
# 检查 Web Shell
find /var/www/ -name "*.php" -newer /tmp/baseline -exec grep -l "eval\|base64_decode\|system\|passthru\|shell_exec" {} \;
# 检查未授权的 SSH 密钥
find / -name "authorized_keys" -exec cat {} \; 2>/dev/null
# 删除已识别的恶意文件(取证镜像后执行)
# Windows
Remove-Item -Path "C:\Windows\Temp\malware.exe" -Force
Remove-Item -Path "C:\Users\Public\backdoor.dll" -Force
# 删除恶意计划任务
schtasks /delete /tn "MaliciousTaskName" /f
# 删除 WMI 持久化
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='MalFilter'" | Remove-WMIObject
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='MalConsumer'" | Remove-WMIObject
# 删除恶意注册表项
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MalEntry" /f
# 删除恶意服务
sc stop "MalService" && sc delete "MalService"
# Linux - 删除恶意 cron 条目、二进制文件、SSH 密钥
crontab -r # 删除整个 crontab(或编辑特定条目)
rm -f /tmp/.hidden_backdoor
sed -i '/malicious_key/d' ~/.ssh/authorized_keys
systemctl disable malicious-service && rm /etc/systemd/system/malicious-service.service
# 重置所有受攻陷用户密码
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=CompromisedUsers,DC=domain,DC=com" |
Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "TempP@ss!$(Get-Random)" -AsPlainText -Force)
# 重置 KRBTGT 密码(两次,间隔 12 小时以上,用于黄金票据攻击后处置)
Reset-KrbtgtPassword -DomainController DC01
# 等待 12 小时以上,再次重置
Reset-KrbtgtPassword -DomainController DC01
# 轮换服务账号密码
Get-ADServiceAccount -Filter * | ForEach-Object {
Reset-ADServiceAccountPassword -Identity $_.Name
}
# 撤销所有 Azure AD 令牌
Get-AzureADUser -All $true | ForEach-Object {
Revoke-AzureADUserAllRefreshToken -ObjectId $_.ObjectId
}
# 轮换 API 密钥和 Secret
# 特定应用的凭据轮换
# 识别并修补入口点漏洞
# Windows Update
Install-WindowsUpdate -KBArticleID "KB5001234" -AcceptAll -AutoReboot
# Linux 补丁
apt update && apt upgrade -y # Debian/Ubuntu
yum update -y # RHEL/CentOS
# 特定应用补丁
# 更新 Web 应用框架、CMS 等
# 验证补丁已应用
Get-HotFix -Id "KB5001234"
# 使用更新签名进行全系统扫描
# CrowdStrike Falcon - 按需扫描
curl -X POST "https://api.crowdstrike.com/scanner/entities/scans/v1" \
-H "Authorization: Bearer $FALCON_TOKEN" \
-H "Content-Type: application/json" \
-d '{"ids": ["device_id"]}'
# 验证没有残留持久化机制
autorunsc.exe -accepteula -a * -c -h -s -v | findstr /i "unknown verified"
# 检查是否有残留可疑进程
Get-Process | Where-Object {$_.Path -notlike "C:\Windows\*" -and $_.Path -notlike "C:\Program Files*"}
# 验证没有未授权的网络连接
Get-NetTCPConnection -State Established |
Where-Object {$_.RemoteAddress -notlike "10.*" -and $_.RemoteAddress -notlike "172.16.*"} |
Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess
# 再次运行 YARA 规则确认没有产物残留
yara -r malware_rules/specific_family.yar C:\ 2>/dev/null
| 概念 | 说明 |
|---|---|
| 持久化机制(Persistence Mechanism) | 攻击者用于在系统重启后维持访问的方法 |
| 根因修复(Root Cause Remediation) | 修复使初始攻陷成为可能的漏洞 |
| 凭据轮换(Credential Rotation) | 重置所有可能受攻陷的密码和令牌 |
| KRBTGT 重置 | 在黄金票据(Golden Ticket)攻击后使 Kerberos 票据失效 |
| 指标扫描(Indicator Sweep) | 在所有系统上扫描已知的恶意产物 |
| 验证扫描(Validation Scan) | 在恢复前确认根除成功 |
| 重镜像(Re-imaging) | 从干净镜像重建系统而非进行清理 |
| 工具 | 用途 |
|---|---|
| Sysinternals Autoruns | 枚举所有 Windows 自启动位置 |
| YARA | 基于自定义规则的恶意软件扫描 |
| CrowdStrike/SentinelOne | 基于 EDR 的扫描和修复 |
| ClamAV | 开源防病毒扫描 |
| PowerShell | 脚本化清理与验证 |
| Velociraptor | 远程取证采集和修复 |