Stats
Actions
Tags
Systematically maps, identifies, and eradicates malware, backdoors, and persistence mechanisms from infected Windows/Linux systems in incident response.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:eradicating-malware-from-infected-systemsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- 已确认恶意软件感染且遏制措施已到位
# Windows - 检查所有已知的持久化位置
# Autoruns(Sysinternals)- 全面的自启动枚举
autorunsc.exe -accepteula -a * -c -h -s -v > autoruns_report.csv
# 注册表 Run 键
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /s
# 计划任务
schtasks /query /fo CSV /v > schtasks_all.csv
# WMI 事件订阅
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
# 服务
Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object Name, DisplayName, BinaryPathName
# Linux 持久化
cat /etc/crontab
ls -la /etc/cron.*/
ls -la /etc/init.d/
systemctl list-unit-files --type=service | grep enabled
cat /etc/rc.local
ls -la ~/.bashrc ~/.profile ~/.bash_profile
# 使用针对特定恶意软件家族的 YARA 规则扫描
yara -r -s malware_rules/specific_family.yar C:\ 2>/dev/null
# 使用多个 AV 引擎扫描
# ClamAV 扫描
clamscan -r --infected --remove=no /mnt/infected_disk/
# 检查已知恶意文件哈希
find / -type f -newer /tmp/baseline_timestamp -exec sha256sum {} \; 2>/dev/null | \
while read hash file; do
grep -q "$hash" known_malicious_hashes.txt && echo "MALICIOUS: $file ($hash)"
done
# 检查 Web Shell
find /var/www/ -name "*.php" -newer /tmp/baseline -exec grep -l "eval\|base64_decode\|system\|passthru\|shell_exec" {} \;
# 检查未授权的 SSH 密钥
find / -name "authorized_keys" -exec cat {} \; 2>/dev/null
# 删除已识别的恶意文件(取证镜像后执行)
# Windows
Remove-Item -Path "C:\Windows\Temp\malware.exe" -Force
Remove-Item -Path "C:\Users\Public\backdoor.dll" -Force
# 删除恶意计划任务
schtasks /delete /tn "MaliciousTaskName" /f
# 删除 WMI 持久化
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='MalFilter'" | Remove-WMIObject
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='MalConsumer'" | Remove-WMIObject
# 删除恶意注册表项
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MalEntry" /f
# 删除恶意服务
sc stop "MalService" && sc delete "MalService"
# Linux - 删除恶意 cron 条目、二进制文件、SSH 密钥
crontab -r # 删除整个 crontab(或编辑特定条目)
rm -f /tmp/.hidden_backdoor
sed -i '/malicious_key/d' ~/.ssh/authorized_keys
systemctl disable malicious-service && rm /etc/systemd/system/malicious-service.service
# 重置所有受攻陷用户密码
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "OU=CompromisedUsers,DC=domain,DC=com" |
Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "TempP@ss!$(Get-Random)" -AsPlainText -Force)
# 重置 KRBTGT 密码(两次,间隔 12 小时以上,用于黄金票据攻击后处置)
Reset-KrbtgtPassword -DomainController DC01
# 等待 12 小时以上,再次重置
Reset-KrbtgtPassword -DomainController DC01
# 轮换服务账号密码
Get-ADServiceAccount -Filter * | ForEach-Object {
Reset-ADServiceAccountPassword -Identity $_.Name
}
# 撤销所有 Azure AD 令牌
Get-AzureADUser -All $true | ForEach-Object {
Revoke-AzureADUserAllRefreshToken -ObjectId $_.ObjectId
}
# 轮换 API 密钥和 Secret
# 特定应用的凭据轮换
# 识别并修补入口点漏洞
# Windows Update
Install-WindowsUpdate -KBArticleID "KB5001234" -AcceptAll -AutoReboot
# Linux 补丁
apt update && apt upgrade -y # Debian/Ubuntu
yum update -y # RHEL/CentOS
# 特定应用补丁
# 更新 Web 应用框架、CMS 等
# 验证补丁已应用
Get-HotFix -Id "KB5001234"
# 使用更新签名进行全系统扫描
# CrowdStrike Falcon - 按需扫描
curl -X POST "https://api.crowdstrike.com/scanner/entities/scans/v1" \
-H "Authorization: Bearer $FALCON_TOKEN" \
-H "Content-Type: application/json" \
-d '{"ids": ["device_id"]}'
# 验证没有残留持久化机制
autorunsc.exe -accepteula -a * -c -h -s -v | findstr /i "unknown verified"
# 检查是否有残留可疑进程
Get-Process | Where-Object {$_.Path -notlike "C:\Windows\*" -and $_.Path -notlike "C:\Program Files*"}
# 验证没有未授权的网络连接
Get-NetTCPConnection -State Established |
Where-Object {$_.RemoteAddress -notlike "10.*" -and $_.RemoteAddress -notlike "172.16.*"} |
Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess
# 再次运行 YARA 规则确认没有产物残留
yara -r malware_rules/specific_family.yar C:\ 2>/dev/null
| 概念 | 说明 |
|---|---|
| 持久化机制(Persistence Mechanism) | 攻击者用于在系统重启后维持访问的方法 |
| 根因修复(Root Cause Remediation) | 修复使初始攻陷成为可能的漏洞 |
| 凭据轮换(Credential Rotation) | 重置所有可能受攻陷的密码和令牌 |
| KRBTGT 重置 | 在黄金票据(Golden Ticket)攻击后使 Kerberos 票据失效 |
| 指标扫描(Indicator Sweep) | 在所有系统上扫描已知的恶意产物 |
| 验证扫描(Validation Scan) | 在恢复前确认根除成功 |
| 重镜像(Re-imaging) | 从干净镜像重建系统而非进行清理 |
| 工具 | 用途 |
|---|---|
| Sysinternals Autoruns | 枚举所有 Windows 自启动位置 |
| YARA | 基于自定义规则的恶意软件扫描 |
| CrowdStrike/SentinelOne | 基于 EDR 的扫描和修复 |
| ClamAV | 开源防病毒扫描 |
| PowerShell | 脚本化清理与验证 |
| Velociraptor | 远程取证采集和修复 |
npx claudepluginhub killvxk/cybersecurity-skills-zhSystematically remove malware, backdoors, and attacker persistence mechanisms from infected systems while ensuring complete eradication and preventing re-infection.
Systematically remove malware, backdoors, and attacker persistence mechanisms from infected systems while ensuring complete eradication and preventing re-infection.
Guides eradication of malware, backdoors, and persistence from infected Windows/Linux systems using Autoruns, YARA, ClamAV scans post-containment.