IncidentResponsev2

4.27 Stop Malware Backdoor

Task

Stop malware backdoor

Conditions

Given:

A compromised system, perform steps to stop malware backdoors and Command and Control (C2) beaconing.

Standards

Execute Stop_malware_backdoor.ps1 to initiate analysis.
An executable named Cerberus.exe will appear.
Cerberus.exe must be run with administrator privileges.
Use Cerberus to analyze, suspend, or kill malware backdoor or C2 beaconing threads.
Removal is precise — Cerberus targets malicious threads only, not entire processes.

End State

System processes are cleared of malicious code injections.
Backdoors and C2 beaconing activities are halted.
Normal system operations are preserved without requiring process restarts.

Notes

Precision Control:
Cerberus will only target malicious threads. It will NOT kill the hosting process, reducing operational disruption.
Suspension and Kill Options:
- --suspend suspends malicious threads without killing them.
- --kill terminates malicious threads completely.
This procedure also applies to 4.28 Stop C2 Beaconing as C2 backdoors are often intertwined.

Manual Steps

Step 1 → Run Backdoor Script and Analyzer

Execute PowerShell Script

.\Stop_malware_backdoor.ps1

This script will prepare the environment and spawn Cerberus.exe.

Run Cerberus.exe with Analyze Mode

Cerberus.exe --analyze

This analyzes all running processes and identifies malicious threads.
Outputs suspicious processes and thread IDs.

Step 2 → Suspend Identified Malicious Threads

Cerberus.exe --suspend

This pauses execution of malicious threads to stop backdoor/C2 activity without crashing processes.
Useful if malware should not be killed immediately (forensics, validation, etc.).

Step 3 → Kill Malicious Threads

Cerberus.exe --kill

This terminates malicious threads permanently.
Process remains running, but malicious code is eradicated.

Step 4 → Validate Process and Network Status

Confirm no malicious threads are running.
Use EDR and network monitoring tools:

Windows

Get-Process
netstat -anob

Linux/macOS (for completeness if backdoor affects multiple OS)

ps aux
ss -tulnp

Ensure no unauthorized C2 beaconing persists.

Running Script

# Example running the backdoor mitigation script
.\Stop_malware_backdoor.ps1

# Example running Cerberus in analyze mode
Cerberus.exe --analyze

# Suspend malicious threads
Cerberus.exe --suspend

# Kill malicious threads
Cerberus.exe --kill

Dependencies

Cerberus.exe (deployed by Stop_malware_backdoor.ps1)
Administrator privileges
EDR or Process Monitoring Tools
Network access to validate beaconing has stopped

Other Available Tools

Tool	Platform	Installation	Usage
Cerberus.exe	Windows	Generated by script	Malware thread analysis + control
Sysinternals Suite	Windows	Portable	Process, autoruns, and threads monitoring
EDR Solutions (CrowdStrike, SentinelOne)	Cross-platform	Installed	Network and process behavior monitoring
Volatility (optional)	Cross-platform	Installed	Memory analysis if rootkit suspected

Operator Recommendations and Best Practices

Operator Checklist

Run Stop_malware_backdoor.ps1 to deploy Cerberus
Run Cerberus in --analyze mode to identify threads
Run Cerberus in --suspend to halt malicious activity if required
Run Cerberus in --kill to permanently stop malicious threads
Validate via EDR or process monitor that no malicious code is running
Document eradication steps and handoff for post-incident review

Best Practices

Only use --kill after validation that malicious threads are not essential for production processes.
Prefer --suspend when analysis is ongoing or forensic collection is needed.
Document each execution for audit and evidence chain.
Use memory analysis tools if malware is suspected to use advanced persistence (rootkits).

References

Revision History

Date	Version	Description	Author
2025-05-02	1.1	Merged original manual steps and Cerberus usage with advanced eradication detail and expanded operator workflow	Leo