4.27-Stop Malware Backdoor
Task Stop malware backdoor¶
Conditions¶
Given a compromised system, perform steps to stop malware backdoors and C2 beaconing.
Standards¶
- Run Stop_malware_backdoor.ps1 and an executable will named Cerberus.exe will appear.
- Cerberus.exe will need to be run with administrator privileges.
- Use Cerberus to either analyze, suspend, or kill the malware backdoor or C2 beaconing.
End State¶
System processes will be cleared of malicious code injection and back to its normal state.
Notes¶
- Cerberus will only go after the thread from within the process that it is hunting. There will not be a need to restart a process due to the fact that Cerberus is killing the thread that is infected, and ONLY that thread. It will not kill the process.
- This Task will also apply to 4.28_Stop_C2_Beaconing
Manual Steps¶
- Run Stop_malware_backdoor.ps1
- Run Cerberus with --analyze or -a to analyze all of the hosts current running processes.
- Run Cerberus with --suspend or -s to suspend the threads. This will not kill the thread, only suspend it that way malicious activities are not running while keeping the process running.
- Run Cerberus with --kill or -k to kill the thread. The thread will be terminated and will not continue to beacon or be used as a backdoor. The process will not need to be restarted.