← back to tools

lab_cleaner

3 files · ready for inspection

readme

# Lab Cleaner Lab Cleaner is a defensive utility for Linux that helps you remove persistence and processes left behind when testing your own malware, droppers, or payloads on a lab system. Lab Cleaner gives you a safe way to scan, dry-run, and optionally remove those leftovers. ⸻ Quick Start # 1. Clone the repo ```bash git clone https://github.com/ekomsSavior/lab_cleaner.git cd lab_cleaner ``` # 2. Dry-run scan (no changes, just logs) ```bash python3 lab_cleaner.py ``` # 3. Apply cleanup (requires sudo for system paths) ```bash sudo python3 lab_cleaner.py --apply ``` # 4. Strict mode with ad-hoc IOCs ```bash sudo python3 lab_cleaner.py --strict-nightshade --apply \ --extra-name nightshade_dropper.py \ --extra-string "Nightshade C2" \ --extra-port 4444 ``` # 5. Optional temp scrub ```bash sudo python3 lab_cleaner.py --apply --scrub-temp ``` Logs are written to a timestamped file like: lab_cleanup_20250911_123456.log ⸻ # Arguments --apply Perform removals (default is dry-run). --scrub-temp Remove matching files in /tmp,/var/tmp,/dev/shm (7d). --strict-nightshade Use tight signature set defined at top of script. --extra-name NAME Add extra basename(s) for strict mode. --extra-string STR Add extra unique string(s) for strict mode. --extra-port PORT Add extra TCP port(s) for strict mode. --pattern REGEX Override broad regex (ignored in strict mode). ⸻ # What It Cleans • Suspicious processes & listeners (regex or strict IOC match) • systemd services (system & user): stop/disable/remove • Cron jobs (user, root, /etc/cron.*) • Shell/profile autoruns (.bashrc, .zshrc, /etc/profile, etc.) • Desktop autostarts (~/.config/autostart/*.desktop) • Temporary droppers/stagers in /tmp, /var/tmp, /dev/shm ⸻ # What It Won’t Clean • Kernel-level malware (rootkits, eBPF backdoors) • Loader tricks via LD_PRELOAD (/etc/ld.so.preload) • Patched system binaries, immutable (chattr +i) files • Bootloader/initramfs/firmware/UEFI persistence • Anything hiding outside userland If you still see unknown listeners after cleanup, backup + reinstall is safest. ⸻ # Safety Model • Dry-run by default — nothing removed unless you pass --apply. • Logs to a timestamped file in your current directory. • Needs sudo only for system paths/root crontabs. ⸻ # Blue-Team Companion These sample rules help defenders simulate catching this class of malware. Sigma (Office → Scripting) ``` title: Office Spawning Scripting or Reverse-Shell Tools logsource: category: process_creation detection: parent_proc: ParentImage|endswith: - '/soffice.bin' - '/libreoffice' - '/excel' child_proc: CommandLine|contains: - 'bash -c' - 'python' - 'nc ' - 'curl ' - 'wget ' condition: parent_proc and child_proc level: high ``` Sigma (Suspicious systemd units) ``` title: Suspicious systemd Units Referencing Payload Keywords logsource: product: linux service: systemd detection: unit_name: Unit|contains: - nightshade - payload - beacon - reverse condition: unit_name level: medium ``` Sysmon for Linux ``` <ProcessCreate onmatch="include"> <CommandLine condition="contains">curl</CommandLine> <CommandLine condition="contains">wget</CommandLine> <CommandLine condition="contains">| bash</CommandLine> </ProcessCreate> ``` KQL (MDE – Linux) ``` DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("soffice.bin","libreoffice","excel") | where FileName in~ ("bash","sh","python","nc","curl","wget") ``` ⸻ # Disclaimer • For defensive use only, on systems you own or are authorized to maintain. • Intended for labs, PoC cleanup, and blue-team research. • Not a replacement for AV/EDR. • No guarantees. Always dry-run first and keep backups.

source code

files

viewer

select a file
// click a file to view source

license

MIT License Copyright (c) 2026 ek0mssavi0r Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. USE AT YOUR OWN RISK. NO WARRANTY PROVIDED.
download zip // inspect all source before execution
read the code before you run it. always.