{"id":19297386,"url":"https://github.com/dncrypter/malware-eradication-insident-response-lab","last_synced_at":"2026-06-13T04:33:16.223Z","repository":{"id":261475536,"uuid":"884410523","full_name":"DNcrypter/Malware-Eradication-Insident-Response-Lab","owner":"DNcrypter","description":"This Lab is going to cover practical scenario of incident response in corporate environment. Here I will try to show how the Malware eradication process works. That is one of the main process of incident response.","archived":false,"fork":false,"pushed_at":"2024-11-06T18:55:03.000Z","size":334,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-05T22:09:38.541Z","etag":null,"topics":["labs","malware-analysis","powershell","sandbox"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DNcrypter.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-06T17:44:24.000Z","updated_at":"2024-11-06T19:04:55.000Z","dependencies_parsed_at":"2024-11-06T19:26:46.545Z","dependency_job_id":"8c4fc37a-e645-40f2-912c-77026f3b2a87","html_url":"https://github.com/DNcrypter/Malware-Eradication-Insident-Response-Lab","commit_stats":null,"previous_names":["dncrypter/malware-eradication-insident-response-lab"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FMalware-Eradication-Insident-Response-Lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FMalware-Eradication-Insident-Response-Lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FMalware-Eradication-Insident-Response-Lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DNcrypter%2FMalware-Eradication-Insident-Response-Lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DNcrypter","download_url":"https://codeload.github.com/DNcrypter/Malware-Eradication-Insident-Response-Lab/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240400338,"owners_count":19795332,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["labs","malware-analysis","powershell","sandbox"],"created_at":"2024-11-09T23:04:21.277Z","updated_at":"2026-06-13T04:33:16.183Z","avatar_url":"https://github.com/DNcrypter.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Malware-Eradication-Insident-Response-Lab\n\n\n\nThis Lab is going to cover practical scenario of incident response in corporate environment. Here I will try to show how the eradication process works. That is one of the main process of incident response. Let’s start.\n\n[![MIT License](https://img.shields.io/badge/License-MIT-green.svg)](https://choosealicense.com/licenses/mit/)\n        [![LinkedIn](https://img.shields.io/badge/LinkedIn-Profile-blue)](https://www.linkedin.com/in/nikhil--chaudhari/)\n        [![Medium](https://img.shields.io/badge/Medium-Writeups-black)](https://medium.com/@nikhil-c)\n\n## 🍁Introduction\nHere we are going to cover how we handle infected system by malware using powershell command-line.\n\nWe will learn different PowerShell Commands can be used in Incident Response to remediate the machine. I will take a real world scenario where a machine is infected with malware e.g. NanoCore RAT to explain this PowerShell Commands\n\nThese commands can be very useful in a limited Windows environment where you don’t have access to tools like GNU core utilities, Python interpreters etc. If PowerShell remoting [2] is configured in your environment then you run these commands even on a remote infected machine from your clean machine.\n\n## What we will cover here ?\n* PowerShell\n* Malware infection scenario- NanoCore\n* PowerShell Commands for Incident Response\n* Conclusion\n* References\n\n## 🍁PowerShell\nPowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes.\n\nPowerShell is based on object not text. The output of a command is an object. You can send the output object, through the pipeline, to another command as its input.\n\n## 🍁Malware infection scenario- NanoCore\nSuppose there is a NanoCore malware infection in our environment and we are at the eradication step of Incident Response. We will learn which PowerShell Commands can be used for Incident Response but it can be applicable to any malware family . To keep it simple, we will consider following points:\n\nOnly one Windows 10 machine is infected with NanoCore malware in our environment based on Network logs.\nWe have physical access to this machine so no need for PowerShell Remoting.\nWe have the copy of the initial NanoCore sample 0ed2be7c91efdb87c98084bb0a22d8d7 which infected the machine, so we know the IoCs.  \n### NanoCore IoCs\n1. Drop RAVBg64.exe and bat files in $Env:TEMP\n2. Create run.dat and other files in the GUID directory in $Env:APPDATA.\n3. Create Persistency by creating autorun entry in HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n4. CC: anunankis3.duckdns.org\n\n## 🍁PowerShell Commands for Incident Response\nThe main goal of this Eradication step in Incident response is to remove all the malware artifacts from the system and verify if the system is completely cleaned or not.\n\nOne of the good things about PowerShell Commands is you don’t need to use different tools for working with files, registry or processes, all the things you can manage using inbuilt PowerShell cmdlets. All the PowerShell commands are tested on PowerShell 7 (or Core) but should work on Windows PowerShell 5.1.\n\n### Steps for removing NanoCore infection:\n1. Check for malicious process\n2. Terminate malicious process\n3. Remove the persistency\n4. Check for files in $env:APPDATA\\GUID\\\n5. Get the Hashes of the files\n6. Copy artifacts for analysis\n7. Delete malware artifacts\n\n**Note :** \nPlease make sure you are running the PowerShell with admin privilege otherwise you will not be able to remediate the system.\n\n#### 1. Check for malicious process\nWe have to check if the malicious process RAVBg64.exe is currently executing from $env:TEMP directory or not. Get-Process cmdlet can be used to get currently executing processes as shown in the pic below.\n```\nGet-Process\n```\n#### Get-Process PowerShell cmdlet output\n\nWe know this RAVBg64 .exe process is executing as shown in the above image but we need to know the complete path to identify if it’s running from the temp directory.\n```\nGet-Process RAVBg64 | Select-Object Id, ProcessName, Path, Company, StartTime | Format-Table\n```\nGet-Process cmdlet doesn’t support the process command line so use Get-WmiObject command\n\nOnly applicable for Windows PowerShell 5.1\n```\nGet-WmiObject -Class Win32_Process -Filter \"name='RAVBg64.exe'\" | Select-Object ProcessId, ProcessName, CommandLine\n```\nBut Get-Wmiobject is deprecated so use Get-CimInstance for PowerShell 7 as mentioned by reddit user.\n```\nGet-CimInstance -Class Win32_Process | Format-Table -Property ProcessId, ProcessName, CommandLine -Autosize\n```\n\nGet-Process \u0026 Get-WmiObject PowerShell cmdlets output\n\n#### 2. Terminate malicious process\n\nStop-Process can be used to terminate processes based on process name or process ID (PID), or pass a process object.\n```\nGet-Process RAVBg64 | Stop-Process\n```\nYou may need to stop this process imapsv.exe instead of RAVBg64.exe, if the machine has already restarted as this filename is used in registry for persistence.\n\n**Note** : If you don’t stop the malicious process and try to delete the file from disk then it will give you access error due to the open handle.  \n\n#### 3. Remove Persistence\n\nGet-ItemProperty cmdlet can be used for listing registry entries as shown below:\n```\nGet-ItemProperty 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -Name 'IMAP Service'\n```\nRemove-ItemProperty can be used for removing NanoCore persistence registry entry.\n```\nGet-ItemProperty 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' | Remove-ItemProperty -Name 'IMAP Service' Get-ItemProperty 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n```\nQuery \u0026 remove NanoCore registry entry using PowerShell Command.\n\n\n#### 4. Check for files in $env:APPDATA\\GUID\\\n\nNanoCore creates a unique GUID dir in $env:APPDATA to keep it’s copy and logs. We can Get-ChildItem cmdlet to list the directory it’s like dir cmd. This cmdlet can be used in file system directory, registry hive, or a certificate store.\n\n**-Recurse** — Used to recursive list all the sub-dir  \n**-Filter** — You can use the parameter to filter the path and it supports * and ? wildcards e.g *.dat, *.exe  \n```\nGet-ChildItem -Path $Env:APPDATA -Force -Recurse -Filter run.dat\n```\nInstead of Get-ChildItem, we can Test-Path to check if the dir or file exists or not.\n```\nTest-Path -Path $Env:APPDATA\\*\\run.dat\n```\n**Note**:\n-Force — It is used to list hidden or system files. Some malware use the hidden attribute for their files, so always use this parameter.\n\n#### Test-Path \u0026 Get-ChildItem PowerShell cmdlets\n\nAfter running the above cmds you will be able to know the unique GUID directory name 0319B08F-2B65–4192-B2D2–1E2F62087064 , this folder contain other artifacts as shown in below screenshot.  \n```\nGet-ChildItem -Path C:\\Users\\admin\\AppData\\Roaming\\0319B08F-2B65-4192-B2D2-1E2F62087064\\ -Force -Recurse\n```\nGet-ChildItem cmdlets using Force \u0026 Recurse parameters.\n\n#### 5. Gather hashes\n\nGet-FileHash cmdlet can be used to get the hash using a different algorithm e.g. MD5. SHA1 , SHA256 etc. By default, the Get-FileHash cmdlet uses the SHA256 algorithm, although any hash algorithm that is supported by the target operating system can be used.\n\n**SHA256**  \nGet-FileHash -Path \n```\n'C:\\Users\\admin\\AppData\\Roaming\\0319B08F-2B65-4192-B2D2-1E2F62087064\\IMAP Service\\imapsv.exe'\n```\n**MD5**  \nGet-FileHash -Algorithm MD5 -Path \n```\n'C:\\Users\\admin\\AppData\\Roaming\\0319B08F-2B65-4192-B2D2-1E2F62087064\\IMAP Service\\imapsv.exe'\n```\n\n#### Get-FileHash PowerShell cmdlet\n\nWe can use Get-ChildItem \u0026 Get-FileHash cmdlets for collecting the file hashes in the directory with MD5, SHA256, Name \u0026 FullName.\n\nWe will use calculated properties that require a Hashtable with a Name/label and an Expression key. The name key is the property name and the Expression key is a scriptblock that will be executed as Select-Object receives input. Please read this great article [5] by @adbertram regarding calculated properties using Hashtable.\n```\n@{ Name = ''; Expression = {}}\n```\nUsing E/Expression we are calculating the MD5 \u0026 SHA256 of each file returned by Get-ChildItem.\n\n```\nGet-ChildItem -Path C:\\Users\\admin\\AppData\\Roaming\\0319B08F-2B65-4192-B2D2-1E2F62087064\\ -Force -Recurse -File | Select-Object @{Name='MD5';E={(Get-FileHash -Algorithm MD5 $_).Hash}}, @{N='SHA256';E={(Get-FileHash -Algorithm SHA256 $_).Hash}}, Name, FullName\n```\n\nGather MD5, SHA256, Name and FullName of NanoCore files.  \n\nNow we will export the result in FileHashes.csv format using Export-Csv.\n```\nGet-ChildItem -Path C:\\Users\\admin\\AppData\\Roaming\\0319B08F-2B65-4192-B2D2-1E2F62087064\\ -Force -Recurse -File | Select-Object @{Name='MD5';E={(Get-FileHash -Algorithm MD5 $_).Hash}}, @{N='SHA256';E={(Get-FileHash -Algorithm SHA256 $_).Hash}},Name, FullName | Export-Csv -Path FileHashes.csv\n\n```\nPowerShell Command for exporting hashes to csv.\n\n#### 5. Copy artifacts for analysis\n\nBefore removing the artifacts, we may want to copy them for further analysis if needed by other teams.\n\nLet’s use the New-Item cmdlet to create the directory and use Copy-Item to copy the files to IoCs dir.\n```\nNew-Item -ItemType Directory -Path C:\\Users\\admin\\IoCs\n```\n```\nCopy-Item C:\\Users\\admin\\AppData\\Roaming\\0319B08F-2B65-4192-B2D2-1E2F62087064\\ -Destination C:\\Users\\admin\\IoCs\\ -Recurse\n```\n\nNew-Item \u0026 Copy-Item PowerShell cmdlets for directory.\n\n#### 6. Delete malware artifacts\n\n**Note**: Don’t forget to use -Force in Remove-Item, otherwise you cannot delete read-only or hidden files which are frequently used in Malware.\n\nWe have already removed the persistence mechanism, now we just need to delete the files from the infected machine using Remove-Item cmdlet.  \nDelete the complete dir recursively.  \n```\nRemove-Item -Path $env:APPDATA\\0319B08F-2B65-4192-B2D2-1E2F62087064\\ -Recurse -Force\n```\nRemove the copy of the NanoCore malware.\n```\n Remove-Item -Path $env:TEMP\\RAVBg64.exe -Force\n\n```\nDelete the initial file.  \n```\nRemove-Item -Path $env:USERPROFILE\\Desktop\\Serial.exe\n\n```\nRemove-Item cmdlet for file \u0026 directory.\n\n## 🍁Conclusion\nAt the end we have studied useful PowerShell Commands which can be used in Incident Response for NanoCore but these commands can be applied to any malware infection. There are a lot more PowerShell Commands which can be used in Incident Response.\n\nFor the next iteration, you can even write the PowerShell script and deploy to multiple machines over your network for cleanup.\n\n## 🍁References\n* [PowerShell Overview — Microsoft](https://docs.microsoft.com/en-gb/powershell/scripting/overview?view=powershell-7)\n* [PowerShell remoting](https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7)\n* [Installing PowerShell Core](https://docs.microsoft.com/en-gb/powershell/scripting/install/installing-powershell-core-on-windows?view=powershell-7.x)\n* [ANY.RUN](https://app.any.run/tasks/6b063197-d725-4642-954e-5e6a99efa884/) — (MD5: 0ed2be7c91efdb87c98084bb0a22d8d7) NanoCore\n* [Using PowerShell’s Calculated Properties.](https://mcpmag.com/articles/2017/01/19/using-powershell-calculated-properties.aspx)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdncrypter%2Fmalware-eradication-insident-response-lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdncrypter%2Fmalware-eradication-insident-response-lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdncrypter%2Fmalware-eradication-insident-response-lab/lists"}