Eradication Verification Checklist
Systematically verify that every identified attacker foothold, persistence mechanism, and malicious artifact has been removed from the environment before clearing systems for recovery.
Actions
- 1
Run a full Autoruns sweep on all Windows hosts previously in scope -- compare against pre-incident baseline and flag any new entries added during the compromise window
- 2
Execute YARA rules for all known malware hashes and families identified during analysis across every endpoint using EDR live-response or Velociraptor hunts
- 3
Verify all compromised credentials have been reset: cross-reference the credential exposure list against Azure AD password-last-changed timestamps and on-prem AD pwdLastSet attributes
- 4
Confirm all malicious scheduled tasks, services, registry run keys, cron jobs, and startup items identified during analysis have been removed -- verify with a second independent check
- 5
Validate network containment release: confirm that firewall rules blocking attacker C2 infrastructure remain active and that no new connections to known-bad destinations appear in the last 24 hours
- 6
Sweep for secondary persistence: check for rogue OAuth apps, mail forwarding rules, SSH authorized_keys additions, web shells, and WMI event subscriptions that may have been missed
- 7
Deploy IOC sweeps using YARA rules across all endpoints via Velociraptor: `velociraptor hunt --artifacts Generic.Detection.Yara.Glob --args glob="C:\Users\**\*" --args yara_file=case_iocs.yar`. Also run Loki IOC scanner as a secondary validation: `loki.exe -p C:\ --dontwait --csv -l loki_scan.log` -- Loki checks for known hacking tools, web shells, and suspicious filenames.
- 8
Run a post-eradication Chainsaw sweep against all event logs to confirm no new malicious activity since cleanup: `chainsaw hunt evtx_folder/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --from "CLEANUP_TIMESTAMP" --csv --output post_cleanup_chainsaw.csv`. Any new detections after the cleanup timestamp indicate missed persistence or re-compromise.
Queries
// KQL -- Verify no ransomware/malware re-execution post-eradication
DeviceProcessEvents
| where Timestamp > ago(48h)
| where SHA256 in ("<HASH_1>","<HASH_2>","<HASH_3>")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc// KQL -- Check for residual C2 communication
DeviceNetworkEvents
| where Timestamp > ago(48h)
| where RemoteIP in ("<C2_IP_1>","<C2_IP_2>") or RemoteUrl has_any ("<C2_DOMAIN_1>","<C2_DOMAIN_2>")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName// PowerShell -- Verify credential resets across AD
Get-ADUser -Filter * -Properties PasswordLastSet |
Where-Object { $_.PasswordLastSet -lt (Get-Date).AddDays(-2) -and $_.SamAccountName -in @("<USER1>","<USER2>") } |
Select-Object SamAccountName, PasswordLastSet, Enabledindex=wineventlog sourcetype=WinEventLog:Security EventCode=4688 (New_Process_Name="*\<MALWARE_NAME>" OR SHA256="<HASH_1>" OR SHA256="<HASH_2>") earliest=-48h | stats count by New_Process_Name, Account_Name, ComputerName, Process_Command_Line | sort -count
index=firewall sourcetype=pan:traffic dest_ip="<C2_IP_1>" OR dest_ip="<C2_IP_2>" OR dest="<C2_DOMAIN_1>" OR dest="<C2_DOMAIN_2>" earliest=-48h | stats count by src_ip, dest_ip, dest_port, action | sort -count
Notes
Eradication verification must be performed by a different analyst than the one who executed the removal actions -- independent validation catches oversights
Allow 24-48 hours of monitoring after eradication before clearing systems for recovery to catch any re-infection or missed persistence
Document every verification step with evidence (screenshots, query results, timestamps) for the post-incident report and potential legal proceedings
Check for Security EID 1102 (audit log cleared) or System EID 104 (event log cleared) during the monitoring window -- log clearing after eradication indicates the attacker still has access. Also monitor for new service installations (EID 7045), scheduled task creation (EID 4698), and account creation (EID 4720) as indicators of re-compromise.