IncidentResponsev2

4.65 Validate All Malware, Implants, and Webshells Have Been Removed (Local, Web, Cloud)

Task

Ensure that no malware, implants, or webshells remain across local systems, web-facing assets, and cloud environments following eradication actions.

Conditions

Given access to endpoint protection platforms (AV/EDR), forensic tools, web file systems, and cloud-native detection and scanning capabilities.

Standards

Enumerate all local, web, and cloud workloads.
Detect unauthorized binaries, scripts, implants, and webshells.
Remove and validate removal of malicious artifacts.
Document actions taken and confirm eradication.

End State

All identified malware, implants, and webshells are removed and validated as eradicated across all environments.

Notes

Webshells often survive typical antivirus scans → manual inspection required.
Cloud VMs, buckets, and storage may retain malicious scripts unnoticed.
Memory-resident implants require advanced forensic detection (EDR, memory forensics).

Manual Steps

Step 1: Enumerate Local Malware and Implants

Run Full AV/EDR Scans

Platform	Recommended Tools
Windows	Defender AV (Full Scan), CrowdStrike, SentinelOne
Linux	ClamAV, YARA, Sophos, EDR tools
macOS	XProtect, Malwarebytes, EDR tools

# Windows Defender Example
Start-MpScan -ScanType FullScan

# Linux ClamAV Example
clamscan -r / --bell -i

Look for:

Known malware
Potentially unwanted programs (PUPs)
Obfuscated or packed binaries

Operator Note: Ensure EDR policies allow for aggressive scanning and detection.

Detect Fileless or Memory Resident Malware (Advanced)

Memory Analysis (Volatility or EDR Memory Scan)

volatility -f memorydump.raw --profile=Win10x64_18362 pslist

Look for:

Suspicious or unsigned processes
Injected DLLs
PowerShell running without visible tasks

Operator Note: EDR consoles (CrowdStrike, SentinelOne) offer built-in memory analysis.

Step 2: Enumerate Web-facing Malware and Webshells

Web Server File Integrity Check

find /var/www -type f -exec md5sum {} \; > files.md5
# Compare to known-good baseline

Look for:

Recently modified PHP/ASP/JS files
Files with obfuscated variable names or base64 encoding
Files with upload or eval functions

Webshell Detection Tools

# Linux - LMD (Linux Malware Detect)
maldet -a /var/www

# Windows IIS
Search for *.asp;*.aspx files with unknown owners/modification times

Operator Note: Use YARA rules to detect known webshell patterns.

Analyze Web Server Access Logs

cat /var/log/apache2/access.log | grep -i "cmd="

Look for:

URLs with suspicious parameters (cmd=, eval=, exec=)
POST requests to static files (ex: jpg, php, txt)

Step 3: Enumerate Cloud Storage and Compute Malware

AWS

aws s3 ls s3://bucket-name --recursive
aws s3api list-objects --bucket bucket-name

Look for:

Executable files (.exe, .sh, .php) stored in public or writable buckets
Files uploaded recently or by unknown users

GuardDuty / Inspector Findings

aws guardduty list-findings
aws inspector2 list-findings

Operator Note: GuardDuty Malware Protection scans EBS volumes → ensure enabled.

Azure

Get-AzStorageBlob -Container CONT -Context $ctx

Look for:

Executables or scripts in blob storage
Public blobs with risky content

Defender for Cloud

Review recommendations → malware detected or suspected

GCP

gcloud storage buckets list
gcloud storage objects list --bucket BUCKET_NAME

Look for:

Suspicious file extensions in storage
Publicly accessible storage objects

Security Command Center

Review active findings → malware flagged or anomalous access

Step 4: Remove Identified Malware, Implants, and Webshells

Local

# Windows
Remove-Item -Path "C:\Path\to\Malware.exe" -Force

# Linux/macOS
rm /path/to/malware.sh

Web Servers

rm /var/www/html/suspiciousfile.php

Cloud

AWS

aws s3 rm s3://bucket-name/suspicious-file.php

Azure

Remove-AzStorageBlob -Container CONT -Blob suspicious.php -Context $ctx

GCP

gcloud storage objects delete suspicious-file.php --bucket=BUCKET_NAME

Operator Note: Validate backups to ensure malware/webshells are not reintroduced during recovery.

Step 5: Validate and Document

Re-run AV/EDR, YARA scans after removal
Validate web directories → no unknown PHP/ASP files remain
Validate cloud storage → empty of malicious files
Document removed artifacts → filename, path, owner, detection method

Dependencies

AV/EDR software and full scan capabilities
Web server file access
Cloud provider access and malware detection features
YARA rulesets and file integrity baselines

Other Available Tools

Tool	Platform	Installation	Usage
YARA	Cross-platform	Package manager	Malware/webshell pattern scanning
ClamAV / maldet	Linux	Package manager	On-demand file scanning
EDR platforms (CrowdStrike, SentinelOne)	Enterprise	Native	Memory + disk scanning
AWS GuardDuty / Inspector	AWS	Native	Malware detection
Azure Defender for Cloud	Azure	Native	Malware detection
GCP Security Command Center	GCP	Native	Malware detection

Operator Recommendations and Additional Tools

Operator Checklist

Run full AV/EDR scans on all local systems.
Review and validate memory for implants (EDR/Volatility).
Enumerate web directories → remove unauthorized webshells.
Enumerate cloud storage → remove unauthorized binaries and scripts.
Validate removal with secondary scans.
Document all malware/webshell discoveries and removal actions.

Best Practices

Use YARA rules regularly → detect custom malware/webshells.
Enable malware protection features in cloud-native security tools.
Perform periodic web and file integrity monitoring.
Quarantine suspicious files instead of deleting immediately for forensic review.

References

Revision History

Date	Version	Description	Author
2025-05-02	1.0	Created from scratch with deep operator-focused eradication + web/cloud malware validation	Leo