Add eliminate package with functions for removing suspicious artifacts (files, directories, processes, services, scheduled tasks) and enhance detection logic to include whitelist checks and multi-indicator scoring

internal/pkg/hunt/eliminate/autorun.go

@@ -0,0 +1,20 @@
+package eliminate
+
+import (
+	"fmt"
+	. "rmm-hunter/internal/suspicious"
+
+	"github.com/Kraken-OffSec/Scurvy"
+)
+
+// EliminateAutoRun removes an autorun entry from the system
+func EliminateAutoRun(ar AutoRun) error {
+	all := scurvy.ListAutoruns()
+	for _, a := range all {
+		if a.MD5 == ar.MD5 {
+			// Found it, delete it
+			return scurvy.DeleteAutorun(a)
+		}
+	}
+	return fmt.Errorf("%s | %s not found", ar.Location, ar.Entry)
+}

internal/pkg/hunt/eliminate/binary.go

@@ -0,0 +1,8 @@
+package eliminate
+
+import "os"
+
+// EliminateBinary removes a binary from the system
+func EliminateBinary(path string) error {
+	return os.Remove(path)
+}

internal/pkg/hunt/eliminate/connection.go

@@ -0,0 +1,36 @@
+package eliminate
+
+import (
+	"fmt"
+
+	"github.com/Kraken-OffSec/Scurvy/core/firewall"
+)
+
+// EliminateConnection adds an outbound block for the connection to the Windows firewall
+func EliminateConnection(dst string) error {
+	// Create a new WindowsFirewall instance
+	fw, err := firewall.NewWindowsFirewall()
+	if err != nil {
+		return err
+	}
+
+	// Check if firewall is enabled
+	if !fw.Enabled() {
+		return fmt.Errorf("windows firewall is currently disabled. please enable it and try again")
+	}
+
+	// Add a block rule for the destination
+	return fw.AddRule(firewall.FirewallRule{
+		Name:          fmt.Sprintf("Block Outgoing %s", dst),
+		Direction:     "outbound",
+		Protocol:      "any",
+		LocalPort:     "any",
+		RemotePort:    "any",
+		LocalAddress:  "",
+		RemoteAddress: "",
+		Action:        "block",
+		Profile:       "",
+		Destination:   dst,
+		Source:        "",
+	})
+}

internal/pkg/hunt/eliminate/directory.go

@@ -0,0 +1,7 @@
+package eliminate
+
+import "os"
+
+func EliminateDirectory(path string) error {
+	return os.RemoveAll(path)
+}

internal/pkg/hunt/eliminate/eliminate.go

@@ -1 +0,0 @@
-package eliminate

internal/pkg/hunt/eliminate/processes.go

@@ -0,0 +1,16 @@
+package eliminate
+
+import (
+	. "rmm-hunter/internal/suspicious"
+
+	scurvy "github.com/Kraken-OffSec/Scurvy"
+)
+
+// EliminateProcess kills a process and removes its binary from the system
+func EliminateProcess(p Process) error {
+	err, proc := scurvy.FindProcessByPID(p.PID)
+	if err != nil {
+		return err
+	}
+	return proc.Kill()
+}

internal/pkg/hunt/eliminate/scheduledTasks.go

@@ -0,0 +1,11 @@
+package eliminate
+
+import (
+	. "rmm-hunter/internal/suspicious"
+
+	scurvy "github.com/Kraken-OffSec/Scurvy"
+)
+
+func EliminateScheduledTask(t ScheduledTask) error {
+	return scurvy.DeleteScheduledTask(t.Name)
+}

internal/pkg/hunt/eliminate/services.go

@@ -0,0 +1,12 @@
+package eliminate
+
+import (
+	. "rmm-hunter/internal/suspicious"
+
+	scurvy "github.com/Kraken-OffSec/Scurvy"
+)
+
+// EliminateService stops and removes a service from the system
+func EliminateService(s Service) error {
+	return scurvy.RemoveService(s.Name)
+}