Details

• ID: CM0030
• Version: 1.0
• Created: 14 March 2025
• Modified: 14 March 2025
• Type: Eliminate
• Status: Active

Intended Outcome

Removing known malware terminates adversary collection, persistence, and command and control using malware.

Introduction

No Introduction content identified.

Preparation

• Review malware eradication strategy to minimize chances of an adversary presence surviving or being reinstated after eradication steps have been implemented.
• Determine whether any specific vulnerabilities, if any, were used by or exploited to install the malware and investigate how to prevent future exploitation.

Risks

• This countermeasure may have impacts that disrupt operations, including
• Data loss: Data entered since the last clean backup may be lost.
• Business disruption: Downtime during business hours may disrupt business.
• Errors can render this countermeasure ineffective.
• Confirm the integrity of any clean images/software prior to usage, to avoid the risk of re-infection.

Guidance

The specifics on the eradication of malware, backdoors, and implants will vary with each instance. The following is a list of some recommended practices regarding malware eradication activities. Please note, this is not an exhaustive list.

• Search for Indicators of Compromise (IOCs) (IP addresses, domains, certificates).
• Search for Tactics, Techniques, and Procedures (TTPs) consistent with adversary activity.
• Exploit internal resources (threat intelligence feeds, logs, etc.) to inform understanding of the attack and pivot to discover additional IOCs and TTPs.
• Reimage affected systems by restoring to an original uncorrupted state.
• Rebuild or replace hardware in the event of hard to eradicate infections such as root kits.
• Replace compromised files with uncorrupted files.
• Install Patches to mitigate any existing vulnerabilities.
• Monitor the system to verify successful eradication.

References

• Cybersecurity Incident & Vulnerability Response Playbooks | https://www.cisa.gov/sites/default/files/2024-08/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf
• Computer Security Incident Handling Guide | https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf