Team: Huntress EDR
Product: Malware Footholds
Environment: Huntress EDR
Summary: Some remediation processes may be hindered by reappearing footholds. In order to prevent footholds from being recreated, be sure to manually terminate all associated processes first.
When remediating malware footholds, you may encounter times when a foothold reappears. This is often an indication the malware is running--the malware detected that its foothold had been removed and recreated the foothold. You may need to terminate the malicious process before continuing the remediation steps. The following steps are a general guide.
If you are unable to find the process or the file continues to be recreated, you may need to boot into Safe Mode to remove the malware. Some malware injects into legitimate processes (such as explorer.exe) which makes it harder to find and terminate.
To terminate a process:
- Start the "Task Manager" by right-clicking on your taskbar:
- Locate the malicious process on the "Processes" tab (The process name is normally the name of the executable included in the incident report.):
- Right-click on the process name and click "End Process":
After completing these steps, try removing the foothold again. If the foothold is recreated, booting into Safe Mode to complete the remediation steps is probably the route to take.