Add eliminate package with functions for removing suspicious artifacts (files, directories, processes, services, scheduled tasks) and enhance detection logic to include whitelist checks and multi-indicator scoring

2025-10-11 17:22:44 -04:00
parent e835629643
commit b855f0eaec
15 changed files with 346 additions and 114 deletions
@@ -0,0 +1,20 @@
+package eliminate
+
+import (
+	"fmt"
+	. "rmm-hunter/internal/suspicious"
+
+	"github.com/Kraken-OffSec/Scurvy"
+)
+
+// EliminateAutoRun removes an autorun entry from the system
+func EliminateAutoRun(ar AutoRun) error {
+	all := scurvy.ListAutoruns()
+	for _, a := range all {
+		if a.MD5 == ar.MD5 {
+			// Found it, delete it
+			return scurvy.DeleteAutorun(a)
+		}
+	}
+	return fmt.Errorf("%s | %s not found", ar.Location, ar.Entry)
+}