The eradication phase in incident response involveseliminating the root cause of the incidentand strengthening defenses to prevent reoccurrence. In this case:
Intrusion Prevention System (D): Adding new rules to the IPS to detect and block malicious activity on TCP/135 is a direct eradication step to remove the threat’s entry point and prevent future attacks.
Centralized User Management (C): Hardening user accounts, removing unnecessary permissions, and applying tighter authentication/authorization measures helps eliminate the possibility that threat actors could exploit weak or mismanaged accounts to continue accessing the system.
Althoughanti-malware software (A)andenterprise block listing (E)are valuable, themost direct eradication stepshere specifically involve managing network access (via IPS) and strengthening user controls (via centralized user management), especially when TCP/135 (MSRPC endpoint mapper) can be used to enumerate services and potentially access vulnerable endpoints remotely.
This aligns with best practices outlined in incident response frameworks (such as the NIST SP 800-61 and referenced resources), which emphasizeclosing the exploited entry points(in this case, TCP/135) andremoving any lingering access pointsthrough user management and network control enhancements.
[Reference:, CyberOps Technologies (CBRFIR) 300-215 study guide, Chapter: Understanding the Incident Response Process, Eradication Phase, page 105-106., External Reference: “The Core Phases of Incident Response – Remediation,” Cipher blog [1]., External Reference: “Service Overview and Network Port Requirements,” Microsoft documentation [2]., , ]
Submit