IncidentResponsev2

4.25 Stop Malware / Rootkit

Task

Identify, contain, and remove active malware or rootkits from compromised hosts across Windows, Linux, and macOS systems to prevent persistence, lateral movement, and data exfiltration.

Conditions

Given:

Malware/rootkit detection alerts (EDR, SIEM, AV).
Suspicious process, file, or kernel-level anomaly.
Administrative access to infected endpoints.
Tools for live response, malware triage, and rootkit detection.
Malware/rootkit removal tools available and authorized.

Standards

Validate malware/rootkit presence via detection tools or manual inspection.
Identify malware process, file, persistence mechanisms, and in-memory artifacts.
Isolate impacted system from network.
Remove or quarantine identified malware/rootkit using best practices.
Validate system integrity post-cleanup.
Document actions taken and escalate for forensic analysis if needed.

End State

Malware/rootkit is removed or fully contained.
No residual persistence mechanisms remain.
System is returned to normal operation or scheduled for reimaging.
Post-eradication review conducted and documented.

Notes

Rootkits are stealthy and may hide processes, drivers, and files. Detection and removal require careful handling:

Prefer containment and forensic imaging before removal in high-risk cases.
Some malware/rootkits will survive simple file deletion — registry, services, drivers, and bootkits may exist.
Always preserve original artifacts for analysis.

Manual Steps

Step 1 → Detect Malware / Rootkit

Using EDR or AV

Review alerts (Crowdstrike, SentinelOne, Windows Defender ATP).
Identify detection related to:
- Kernel/Driver manipulation
- Suspicious unsigned or hidden processes
- DLL injection
- Anomalous process behavior

Using Sysinternals Suite (Windows)

# List running processes
procexp.exe

# Verify signatures and VirusTotal lookup
sigcheck.exe -vt -c c:\

Using Rootkit Detection Tools

Windows

GMER → Advanced rootkit detection
Malwarebytes Anti-Rootkit → Scan for known rootkits

Linux

chkrootkit
rkhunter --check

macOS

sudo kextstat | grep -v com.apple

Review unsigned kernel extensions

Network/Command Line Behavior

Look for beaconing or unusual outbound connections.
Detect unauthorized scheduled tasks, services, registry keys.

Step 2 → Isolate System

Remove from network via switch port or EDR isolation command.

# Example (Crowdstrike)
falconctl -g --isolation

Avoid rebooting unless instructed by malware analysis team.

Step 3 → Quarantine or Remove Malware / Rootkit

Automated Tools

Windows

Malwarebytes → Scan and remove
Defender ATP → Quarantine malicious files
GMER → Manually remove hidden objects

Linux

Remove suspicious binaries manually or via ClamAV/Chkrootkit findings.
Inspect crontabs, /etc/init.d, systemd for persistence.

rm /usr/bin/.malwarehidden

macOS

Remove LaunchAgents/LaunchDaemons

sudo rm ~/Library/LaunchAgents/com.malware.plist

Use Malwarebytes for Mac or KnockKnock to validate autoruns.

Manual File Removal (if necessary)

Use safe-mode or recovery environments if malware blocks deletion.
Remove file with built-in utilities.

Remove-Item -Force -Path "C:\malwarepath\malicious.exe"

Step 4 → Validate Removal and Perform Post-Cleanup

Rescan with rootkit and malware detection tools.
Check autorun entries, registry, crontabs, scheduled tasks.

Windows

Get-ScheduledTask

Linux

crontab -l
ls /etc/cron.*

macOS

launchctl list

Monitor network connections and logs for re-occurrence.

Running Script Examples

Example → Windows Sigcheck for hidden unsigned malware/rootkit

sigcheck.exe -e -v -c c:\

Example → Linux Find hidden files

find / -name ".*" -type f

Example → macOS List unsigned kernel extensions

kextstat | grep -v com.apple

Dependencies

Administrative access to infected hosts
Malware/rootkit detection and cleaning utilities
EDR platform access (isolation/quarantine)
SIEM access for ongoing monitoring
Network-level isolation controls (NAC, Switches)

Other Available Tools

Tool	Platform	Installation	Usage
GMER	Windows	Portable	Rootkit detection
Malwarebytes	Windows/macOS	Installed	Malware and rootkit removal
Sysinternals Suite	Windows	Portable	File, process, autorun analysis
rkhunter / chkrootkit	Linux	Installed	Rootkit detection
KnockKnock	macOS	Installed	Autorun analysis

Operator Recommendations and Best Practices

Operator Checklist

Confirm detection of malware/rootkit
Isolate host immediately
Use multiple tools to verify hidden objects
Remove malware/rootkit via automated or manual means
Validate no persistence mechanisms remain
Document actions taken and validate cleanup
Escalate for forensic imaging if advanced/root-level malware was detected

Best Practices

Do not reboot unless required — malware/rootkits may be memory-resident only.
Prioritize removal of network access first to prevent spread or exfiltration.
Keep forensic copy or snapshot before aggressive cleanup.
Review system integrity post-removal — missing/altered files may require reimaging.
For heavily infected hosts → prefer rebuild rather than trust post-cleanup state.

References

Revision History

Date	Version	Description	Author
2025-05-02	1.0	Generated detailed operator workflow with detection, containment, and eradication process	Leo