Easy clean-up after an incident
Blog by: Maikel Roolvink, Cybersecurity Advisor SecureLink
Disclaimer: This script could break your machine within seconds, please remember with great power comes great responsibility!
Just wanted to share a script I wrote to be able to clean up machines after an infection. The idea started during a recent incident response assignment I was working on and noticed that the file hashes did not change but the file paths where different per machine. In this particular case we could not replace all infected machines because of the role within the organization.
So this got me thinking how can I write a low tech script that can clean up machines based on file hashes instead of file paths and keep me informed on the progress? Version one was created it could delete files based on file hashes (md5, sha1, sha256, sha384 or sha512). The hashes could be stored in a input file on a central file share and a logfile would be created that showed the progress in terms of failed or successful file deletions and their corresponding path or if no hashes where found on the machine.
04/10/2018 01:10:00: File with hash DD4E641F015B62815103330927B77B65DFEA92E9 found, removed C:\Badstuff\bad1.exe from host W10V 04/10/2018 01:10:00: File with hash DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 found, removed C:\Badstuff\final3.exe from host W10V 04/10/2018 01:10:00: File with DD4E641F015B62815103330927B77B65DFEA92E9 not found on host W10V 04/10/2018 01:10:00: File with DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 not found on host W10V
So then I thought okay this is working but what about the registry? so version 1.1 was born and now we are able to remove registry entries.
04/10/2018 01:10:00: registery key found, removed HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\Catalyst Control Center from host W10V 04/10/2018 01:10:00: registery key found, removed HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\CryptoMiner from host W10V 04/10/2018 01:10:00: registery key HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\Catalyst Control Center not found on host W10V 04/10/2018 01:10:00: registery key HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\CryptoMiner not found on host W10V
Below you can find a video of the script in practice and the script itself will be published on GitHub because I want to share this and so far I could not find anything like this online. The comments within the script should be sufficient to help you use it.
The script in practice
Securelink SecureResond services, allow any company to react 24/7 to malicious cyber threats. Enabling customers to complement existing resources with world class competence to safely enable their business.
- SecureRespond Quarantine
- SecureRespond Malware
- SecureRespond Incident