Patch Exploited Vulnerabilities to Prevent Re-Compromise
EradicationP260 min
IR AnalystSwitch roles in the top navigation to see different perspectives.
Identify and patch the specific vulnerability exploited for initial access. Verify patch effectiveness and check for additional vulnerable systems across the environment.
Actions
- 1.Confirm the exact CVE or vulnerability exploited based on investigation findings. Cross-reference with the initial access analysis.
- 2.Test the patch in a staging environment if possible. Apply the patch to all affected systems: production, development, and staging environments.
- 3.Verify the patch was applied successfully: check version numbers, run vulnerability scans against the patched systems, and attempt to reproduce the exploit (in a safe manner).
- 4.Scan the entire environment for additional systems with the same vulnerability using tools like Nessus, Qualys, or nmap scripts: `nmap --script vuln -p PORT TARGET_RANGE -oA vuln_scan_results`.
- 5.If a patch is not yet available, implement compensating controls: WAF rules, network segmentation, or disabling the vulnerable feature.
Queries
DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-XXXX-XXXXX" | project DeviceName, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel | order by VulnerabilitySeverityLevel desc // Find all devices with the exploited vulnerability
Notes
- Patching only the initially compromised system is insufficient. All systems with the same vulnerability must be patched to prevent the attacker from re-entering through a different instance.
- Keep the vulnerability details confidential until all systems are patched.