RecoveryP2~120 min

Phased Service Restoration with Enhanced Monitoring

Restore business services in a prioritized, phased approach with enhanced security monitoring at each phase. Verify no attacker callback or unauthorized access occurs as systems return to production.

Actions

1
Create service restoration tiers: Tier 1 (authentication, email, ERP), Tier 2 (file shares, internal apps), Tier 3 (development, non-essential). Restore one tier at a time.
2
Before each tier, verify: security tooling installed and reporting, monitoring rules deployed, containment controls updated for legitimate traffic.
3
Deploy enhanced monitoring rules: alert on C2 connections, new services, admin account creation, PowerShell/WMI remote execution.
4
After restoring each tier, monitor for 2-4 hours before proceeding. Check EDR telemetry and SIEM alerts for anomalies.
5
Lift network containment gradually: internal traffic first, then controlled internet, then full access.

Queries

DeviceNetworkEvents | where Timestamp > ago(4h) | where DeviceName in ("RESTORED_HOSTS") | where RemoteUrl !endswith ".microsoft.com" | summarize Connections=count() by RemoteUrl, RemoteIP | where Connections > 5 | order by Connections desc // Detect unexpected outbound from restored systems

SecurityEvent | where TimeGenerated > ago(4h) | where Computer in ("RESTORED_HOSTS") | where EventID in (4720, 4732, 7045, 4698) | project TimeGenerated, Computer, EventID, Activity // Alert on new accounts, services, tasks

index=wineventlog sourcetype=WinEventLog:Security host IN ("RESTORED_HOST_1","RESTORED_HOST_2") EventCode=4720 OR EventCode=4732 OR EventCode=7045 OR EventCode=4698 earliest=-4h | table _time, host, EventCode, Account_Name, Message | sort _time

index=sysmon sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational host IN ("RESTORED_HOST_1","RESTORED_HOST_2") EventCode=3 earliest=-4h | stats count by DestinationIp, DestinationPort, Image, host | search DestinationIp!="10.*" DestinationIp!="172.16.*" DestinationIp!="192.168.*" | sort -count

Notes

Do not rush restoration. Each tier should be verified stable and clean before proceeding.

Keep IR team on standby during restoration in case re-infection is detected.

Where to Go Next

All services restored, transition to post-incident

Begin post-incident review

Re-infection detected

Re-isolate affected systems

Related Resources

Artifacts

Windows Firewall Connection LogC:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx and C:\Windows\System32\LogFiles\Firewall\pfirewall.log Systemd Journal (Persistent Binary Logs)/var/log/journal/<machine-id>/*.journal Load Balancer Access LogsLoad balancer logs (F5 BIG-IP, AWS ALB/NLB, Azure Application Gateway, HAProxy, Nginx)

Suggested Acquisition

FTK Imager Full Disk Imagewindows · physical EnCase Forensic Full Disk Imagewindows · physical dd / dc3dd Raw Disk Imagewindows · physical Guymager Full Disk Imagewindows · physical