IR AnalystSwitch roles in the top navigation to see different perspectives.

Restore business services in a prioritized, phased approach with enhanced security monitoring at each phase. Verify no attacker callback or unauthorized access occurs as systems return to production.

Actions

  1. 1.Create service restoration tiers: Tier 1 (authentication, email, ERP), Tier 2 (file shares, internal apps), Tier 3 (development, non-essential). Restore one tier at a time.
  2. 2.Before each tier, verify: security tooling installed and reporting, monitoring rules deployed, containment controls updated for legitimate traffic.
  3. 3.Deploy enhanced monitoring rules: alert on C2 connections, new services, admin account creation, PowerShell/WMI remote execution.
  4. 4.After restoring each tier, monitor for 2-4 hours before proceeding. Check EDR telemetry and SIEM alerts for anomalies.
  5. 5.Lift network containment gradually: internal traffic first, then controlled internet, then full access.

Queries

DeviceNetworkEvents | where Timestamp > ago(4h) | where DeviceName in ("RESTORED_HOSTS") | where RemoteUrl !endswith ".microsoft.com" | summarize Connections=count() by RemoteUrl, RemoteIP | where Connections > 5 | order by Connections desc // Detect unexpected outbound from restored systems
SecurityEvent | where TimeGenerated > ago(4h) | where Computer in ("RESTORED_HOSTS") | where EventID in (4720, 4732, 7045, 4698) | project TimeGenerated, Computer, EventID, Activity // Alert on new accounts, services, tasks

Notes

  • Do not rush restoration. Each tier should be verified stable and clean before proceeding.
  • Keep IR team on standby during restoration in case re-infection is detected.