This page is a user guide.
For developers, see the developer documentation.
For a high-level overview of this project, read this page.
A prebuilt binary can be downloaded from the releases folder.
cmd /c
-f
killswitch-port
optionkillswitch-ip
optionHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache:AppCompatCache
. The root key can be specified by either its full name or by its shorthand, like HKLM
artifact-exterminator.exe -s 1 -a notepad.exe,mimikatz.exe
. This argument is mainly for internal use within the program code for scheduling tasks.Values should come after their flags, separated by spaces.
Download artifact-exterminator-malware, attach a .exe extension to the file name and run the following command.
artifact-exterminator.exe -f artifact-exterminator-malware.exe --args 15 -k "HKCU\Keyboard Layout\MaliciousKey1,HKCU\Keyboard Layout\MaliciousKey2" -v "HKCU\Control Panel\Mouse:MaliciousValue1,HKCU\Control Panel\Mouse:MaliciousValue2" --features registry,shimcache,prefetch,amcache -d 10
Run the following command with artifact-exterminator-malware:
artifact-exterminator.exe -f artifact-exterminator-malware.exe --args 15 -k "HKCU\Keyboard Layout\MaliciousKey1,HKCU\Keyboard Layout\MaliciousKey2" -v "HKCU\Control Panel\Mouse:MaliciousValue1,HKCU\Control Panel\Mouse:MaliciousValue2" --features registry,shimcache,prefetch,amcache -d 10 --killswitch-ip 127.0.0.1 --killswitch-port 8080
When the program starts to indicate that it is attempting to connect to the specified kill switch, run the sample kill switch and wait the timeout until the kill switch is activated:
python sock.py
artifact-exterminator.exe -f notepad.exe --args C:\Windows\win.ini
artifact-exterminator.exe -f notepad.exe --args C:\Windows\win.ini --killswitch-ip 127.0.0.1 --killswitch-port 8080 --killswitch-poll 3