Patch Exploited Vulnerabilities to Prevent Re-Compromise
Identify and patch the specific vulnerability exploited for initial access. Verify patch effectiveness and check for additional vulnerable systems across the environment.
Actions
- 1
Confirm the exact CVE or vulnerability exploited based on investigation findings. Cross-reference with the initial access analysis.
- 2
Test the patch in a staging environment if possible. Apply the patch to all affected systems: production, development, and staging environments.
- 3
Verify the patch was applied successfully: check version numbers, run vulnerability scans against the patched systems, and attempt to reproduce the exploit (in a safe manner).
- 4
Scan the entire environment for additional systems with the same vulnerability using tools like Nessus, Qualys, or nmap scripts: `nmap --script vuln -p PORT TARGET_RANGE -oA vuln_scan_results`.
- 5
If a patch is not yet available, implement compensating controls: WAF rules, network segmentation, or disabling the vulnerable feature.
Queries
DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-XXXX-XXXXX" | project DeviceName, SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel | order by VulnerabilitySeverityLevel desc // Find all devices with the exploited vulnerability
index=vulnerability sourcetype=tenable:sc:vuln OR sourcetype=qualys:hostDetection cve="CVE-XXXX-XXXXX" | stats count by dest, severity, pluginName, solution | sort -severity -count
Notes
Patching only the initially compromised system is insufficient. All systems with the same vulnerability must be patched to prevent the attacker from re-entering through a different instance.
Keep the vulnerability details confidential until all systems are patched.