Absolute and Agent

特征文件夹： C:\ProgramData\CTES

它会创建例如 rpcnet 或者 rpcnetp 的等服务 ，没有描述信息

特征程序：
C:\Windows\System32\rpcnet.exe
C:\Windows\System32\rpcnetp.exe
C:\WINDOWS\SysWOW64\rpcnet.exe
C:\WINDOWS\SysWOW64\rpcnetp.exe

更多：
https://community.absolute.com/s/article/Absolute-7-agent-download-size

https://www.absolute.com/company/about-absolute

https://www.cvedetails.com/cve/CVE-2018-16715

下列代码复制到一个bat里面 用管理员运行即可。

rem 清除CTES和免疫
ECHO OFF
taskkill /f /im CTES*
taskkill /f /im rpc*
sc stop "Ctes Manager"
sc stop "AbtSvcHost"
sc stop "CtesDurSvc"
sc stop "CtesHostSvc"
sc stop "ctrarsvc"
sc stop "rpchdp"
sc stop "rpcsdp"
sc stop "rpcld"
sc stop "rpcnet"
sc stop "rpcnetp"
sc stop "fpCsEvtSvc"
sc stop "Drv_Mgr_Service"
sc stop "NPSMSvc_7477f"




sc delete "Ctes Manager"
sc delete "AbtSvcHost"
sc delete "CtesDurSvc"
sc delete "CtesHostSvc"
sc delete "ctrarsvc"
sc delete "rpchdp"
sc delete "rpcsdp"
sc delete "rpcld"
sc delete "rpcnet"
sc delete "rpcnetp"
sc delete "fpCsEvtSvc"
sc delete "Drv_Mgr_Service"
sc delete "NPSMSvc_7477f"

CD "C:\ProgramData"
attrib -h -s -r "C:\ProgramData\CTES\*"
attrib /s /d -h -s -r  "C:\ProgramData\CTES\*"

echo y| del /f "C:\ProgramData\CTES\*"
echo y| rd /s  "C:\ProgramData\CTES\"

echo y| del /f "C:\WINDOWS\SysWOW64\AbtSvcHost_.exe"
echo y| del /f "C:\WINDOWS\SysWOW64\rpcnetp.exe"
echo y| del /f "C:\WINDOWS\SysWOW64\rpcnet.exe"
echo y| del /f "C:\WINDOWS\SysWOW64\fpCSEvtSvc.exe"
echo y| del /f "C:\Windows\System32\AbtSvcHost_.exe"
echo y| del /f "C:\Windows\System32\rpcnetp.exe"
echo y| del /f "C:\Windows\System32\rpcnet.exe"
echo y| del /f "C:\Windows\System32\fpCSEvtSvc.exe"

MD "C:\Windows\SysWOW64\rpcnetp.exe"
MD "C:\Windows\SysWOW64\rpcnet.exe"
MD "C:\Windows\SysWOW64\fpCSEvtSvc.exe"
MD "C:\WINDOWS\SysWOW64\AbtSvcHost_.exe" 
MD "C:\Windows\System32\rpcnetp.exe"
MD "C:\Windows\System32\rpcnet.exe"
MD "C:\Windows\System32\fpCSEvtSvc.exe"
MD "C:\WINDOWS\System32\AbtSvcHost_.exe" 
cacls "C:\Windows\SysWOW64\rpcnetp.exe" /t /e /c /d Everyone
cacls "C:\Windows\SysWOW64\rpcnet.exe" /t /e /c /d Everyone
cacls "C:\Windows\SysWOW64\fpCSEvtSvc.exe" /t /e /c /d Everyone
cacls "C:\Windows\SysWOW64\AbtSvcHost_.exe" /t /e /c /d Everyone
cacls "C:\Windows\System32\rpcnetp.exe" /t /e /c /d Everyone
cacls "C:\Windows\System32\rpcnet.exe" /t /e /c /d Everyone
cacls "C:\Windows\System32\fpCSEvtSvc.exe" /t /e /c /d Everyone
cacls "C:\Windows\System32\AbtSvcHost_.exe" /t /e /c /d Everyone


MD "C:\ProgramData\CTES\" 
cacls "C:\ProgramData\CTES" /t /e /c /d Everyone

PAUSE