Rebuild Compromised Systems from Known-Good Images

RecoveryP1240 min

🔒 Ransomware 🌐 Web Application Compromise 🔑 Credential Theft

IR AnalystSwitch roles in the top navigation to see different perspectives.

Rebuild compromised systems from gold images, restore data from verified clean backups, and validate system integrity before returning to production.

Actions

1.Take a final forensic image of each compromised system before rebuilding (for evidence preservation).
2.Rebuild systems from the organization gold image. Apply all current security patches to the fresh image.
3.Install and configure EDR agent, verify it is reporting to the console, and run a full system scan.
4.Restore application data from the last known clean backup (verified in backup validation). Verify data integrity and application functionality.
5.Harden the rebuilt system: disable unnecessary services, apply CIS benchmarks, enforce MFA, update to latest security baseline.

Queries

DeviceInfo | where Timestamp > ago(1h) | where DeviceName == "REBUILT_HOST" | project DeviceName, OSPlatform, OSVersion, OnboardingStatus, SensorHealthState // Verify EDR enrollment after rebuild

Notes

System rebuilds are the gold standard for eradication. They are time-consuming but provide the highest confidence that no attacker artifacts remain.
Do not restore from backup any executable files or scripts -- only data files. Rebuild application installations from scratch.

Where to Go Next

Systems rebuilt, proceed to service restoration

Begin phased service restoration

Service Restoration

Backups need validation before restoration

Validate backup integrity first

Backup Validation

Suggested Acquisition

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical