Eradication Verification Checklist

Actions

1. 1.Run a full Autoruns sweep on all Windows hosts previously in scope -- compare against pre-incident baseline and flag any new entries added during the compromise window
2. 2.Execute YARA rules for all known malware hashes and families identified during analysis across every endpoint using EDR live-response or Velociraptor hunts
3. 3.Verify all compromised credentials have been reset: cross-reference the credential exposure list against Azure AD password-last-changed timestamps and on-prem AD pwdLastSet attributes
4. 4.Confirm all malicious scheduled tasks, services, registry run keys, cron jobs, and startup items identified during analysis have been removed -- verify with a second independent check
5. 5.Validate network containment release: confirm that firewall rules blocking attacker C2 infrastructure remain active and that no new connections to known-bad destinations appear in the last 24 hours
6. 6.Sweep for secondary persistence: check for rogue OAuth apps, mail forwarding rules, SSH authorized_keys additions, web shells, and WMI event subscriptions that may have been missed

Queries

// KQL -- Verify no ransomware/malware re-execution post-eradication
DeviceProcessEvents
| where Timestamp > ago(48h)
| where SHA256 in ("<HASH_1>","<HASH_2>","<HASH_3>")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc

// KQL -- Check for residual C2 communication
DeviceNetworkEvents
| where Timestamp > ago(48h)
| where RemoteIP in ("<C2_IP_1>","<C2_IP_2>") or RemoteUrl has_any ("<C2_DOMAIN_1>","<C2_DOMAIN_2>")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName

// PowerShell -- Verify credential resets across AD
Get-ADUser -Filter * -Properties PasswordLastSet |
  Where-Object { $_.PasswordLastSet -lt (Get-Date).AddDays(-2) -and $_.SamAccountName -in @("<USER1>","<USER2>") } |
  Select-Object SamAccountName, PasswordLastSet, Enabled