Rebuild Compromised Systems from Known-Good Images
Rebuild compromised systems from gold images, restore data from verified clean backups, and validate system integrity before returning to production.
Actions
- 1
Take a final forensic image of each compromised system before rebuilding (for evidence preservation).
- 2
Rebuild systems from the organization gold image. Apply all current security patches to the fresh image.
- 3
Install and configure EDR agent, verify it is reporting to the console, and run a full system scan.
- 4
Restore application data from the last known clean backup (verified in backup validation). Verify data integrity and application functionality.
- 5
Harden the rebuilt system: disable unnecessary services, apply CIS benchmarks, enforce MFA, update to latest security baseline.
Queries
DeviceInfo | where Timestamp > ago(1h) | where DeviceName == "REBUILT_HOST" | project DeviceName, OSPlatform, OSVersion, OnboardingStatus, SensorHealthState // Verify EDR enrollment after rebuild
index=wineventlog sourcetype=WinEventLog:System host=REBUILT_HOST EventCode=6005 OR EventCode=6006 OR EventCode=7045 earliest=-24h | table _time, host, EventCode, Message | sort _time
Notes
System rebuilds are the gold standard for eradication. They are time-consuming but provide the highest confidence that no attacker artifacts remain.
Do not restore from backup any executable files or scripts -- only data files. Rebuild application installations from scratch.