Home > SOC Analysis

Patch & Recovery Steps

Patch and recovery steps focus on restoring systems to a secure, fully functional state after an incident.
Once containment and isolation are completed, the SOC must ensure the attacker’s foothold is removed, vulnerabilities are fixed, affected systems are cleaned, and business operations return to normal without leaving any backdoors or persistence behind.

This chapter explains the full, practical, SOC-level process for patching, cleaning, rebuilding, validating, and recovering compromised systems.

Purpose of Patch & Recovery

Patch and recovery ensures:

  • Endpoints no longer contain malware

  • Vulnerabilities exploited in the attack are fixed

  • Persistence mechanisms are removed

  • Misconfigurations are corrected

  • System integrity and security posture are restored

  • Business operations resume safely

  • Attackers cannot re-enter the environment

Recovery is not just “cleaning a machine.”
It is closing every gap that enabled the attack.

Core Components of Patch & Recovery

1. Identify Exploited Vulnerability

Every incident has an entry point.
Recovery begins by identifying what allowed the attack.

Examples:

  • Unpatched software (e.g., Log4j, Exchange, Apache)

  • Weak RDP configuration

  • VPN without MFA

  • Browser vulnerabilities

  • Outdated EDR agent

  • Misconfigured firewall

  • Privilege escalation flaw

Analysts must verify whether:

  • Exploit was remote

  • User executed file

  • Credential theft occurred

  • Lateral movement happened

This determines the required patches and remediation depth.

2. Patch the Vulnerability

After identifying the gap, apply patches immediately.

Examples:

  • Update OS

  • Update application version

  • Install security hotfixes

  • Update firmware on appliances

  • Update browser or Java

  • Patch VPN gateways

  • Update EDR to latest engine

Critical rule:
Never bring a system back online without patching what caused the compromise.

3. Remove Persistence Mechanisms

Attackers often leave behind persistence to regain access.

Check and remove:

  • Registry Run keys

  • Scheduled tasks

  • WMI subscriptions

  • Startup folder files

  • Malicious services

  • Cron jobs

  • SSH authorized keys

  • Hidden user accounts

Example removal:

schtasks /delete /tn "Updater"

Every persistence path must be validated as clean.

4. Remove Malicious Files & Artifacts

Clean the system by removing:

  • Dropped payloads

  • PowerShell scripts

  • Temp folder binaries

  • Malicious DLLs

  • Browser extensions

  • Malicious cron scripts

  • Rogue tools (PsExec, Mimikatz, Rclone)

Recovery includes searching directories:

Windows:

C:\Users\<user>\AppData\Local\Temp
C:\Users\Public
C:\ProgramData
Startup folder

Linux:

/tmp
/var/tmp
/home/<user>
/etc/cron*

5. EDR Rescan & Verification

Before restoring connectivity:

  • Run full EDR scan

  • Validate no malicious process is active

  • Ensure no outbound connections exist

  • Confirm signatures are updated

  • Check no suspicious PowerShell/WMI activity remains

EDR timeline must show no active threats.

6. System Integrity Validation

SOC verifies that the system is not tampered with at OS level.

Checks:

  • System file integrity

  • Kernel integrity

  • Registry consistency

  • Valid running services

  • No rogue drivers

Windows:

sfc /scannow
DISM /Online /Cleanup-Image /RestoreHealth

Linux:

  • Compare critical binaries with package manager versions

  • Validate SSH configuration

  • Verify system logs for anomalies

7. Password Resets & Credential Hardening

If credentials were exposed, reset them:

  • User passwords

  • Admin accounts

  • Service accounts

  • API keys

  • SSH keys

  • Database credentials

Enforce:

  • MFA

  • Strong password policies

  • Rotating access tokens

Credential resetting prevents attackers from reusing stolen access.

8. Rebuild if Necessary

If system integrity is questionable or rootkit-level compromise is suspected:

Reimage the system completely.

Rebuild triggers:

  • Rootkits observed

  • Bootloader tampering

  • Repeated infections

  • Ransomware impact

  • Unpatchable systems

  • CI/CD or production server compromise

Rebuild ensures full security reset.

9. Network & Firewall Hardening

After endpoint cleanup:

  • Block indicators discovered during investigation

  • Remove exposed ports

  • Tighten inbound/outbound rules

  • Enforce DNS filtering

  • Apply segmentation

  • Disable unused protocols (SMBv1, Telnet, FTP)

Firewall changes must reflect lessons from the incident.

10. Monitoring After Recovery

Monitoring must be increased for 72 hours to 7 days.

SOC watches for:

  • Reconnection attempts

  • DNS lookups to known malicious domains

  • Failed logon attempts

  • PowerShell or cmd anomalies

  • Persistence recreation attempts

  • Outbound beaconing

Recovery is not complete until logs show stable, clean behavior.

Practical Recovery Scenarios

Scenario 1 — Ransomware Infection

Steps:

  • Remove endpoint from network

  • Identify encryption vector

  • Patch vulnerability exploited

  • Remove ransomware executable

  • Search for persistence

  • Replace affected files from backups

  • Rebuild system if needed

  • Reset passwords

  • Harden SMB and RDP

  • Add detections for ransomware patterns

Scenario 2 — Phishing → Malware Execution

Steps:

  • Remove malicious file

  • Patch Outlook/Office

  • Clean PowerShell artifacts

  • Remove persistence DLLs

  • Reset user credentials

  • Block domain/IP

  • Add Sigma rule for executed command line

Scenario 3 — Cloud Compromise

Steps:

  • Rotate IAM keys

  • Revoke API tokens

  • Patch cloud workload

  • Enable logging

  • Fix misconfigured S3 buckets

  • Apply least privilege

  • Validate security groups

Scenario 4 — Linux Crypto Miner

Steps:

  • Kill miner process

  • Remove cron persistence

  • Patch SSH vulnerability

  • Rotate SSH keys

  • Harden SSH configuration

  • Block mining pool IP ranges

SOC Workflow for Patch & Recovery

  1. Identify exploited vulnerability

  2. Patch OS/software/firmware

  3. Remove persistence

  4. Remove malicious files

  5. Perform memory and EDR scans

  6. Validate system integrity

  7. Reset credentials

  8. Harden network/firewall rules

  9. Monitor aggressively

  10. Document recovery actions

Intel Dump

  • Patch and recovery restores systems to safe operation and prevents reinfection.

  • Steps include patching vulnerabilities, removing malware, eliminating persistence, scanning with EDR, verifying integrity, rotating credentials, and hardening networks.

  • Systems must be monitored after recovery to ensure attacker activity does not return.

  • Rebuilding a system is required when integrity is questionable or rootkits are involved.

HOME LEARN COMMUNITY DASHBOARD