13.8 Eradication and Verification

2–3 hours · Module 13

Eradication and Verification

Containment stopped the attacker. Eradication confirms every persistence mechanism is removed and the environment is clean. Verification confirms containment is holding over time.

Eradication checklist

Run each query and confirm the expected clean result:

1. Confirm no remaining inbox rules from the attacker:

1
2
3
4
5
6
CloudAppEvents
| where TimeGenerated > ago(7d)
| where AccountDisplayName has "morrison"
| where ActionType in ("New-InboxRule", "Set-InboxRule")
| where IPAddress != "198.51.100.10"
| project TimeGenerated, ActionType, IPAddress, tostring(RawEventData.Parameters)

Replace 198.51.100.10 with the user’s known corporate IP. Any results from unknown IPs indicate additional rules you missed.

2. Confirm no delegate access was granted:

1
2
3
4
5
CloudAppEvents
| where TimeGenerated > ago(7d)
| where ActionType in ("Add-MailboxPermission", "Add-RecipientPermission")
| where tostring(RawEventData.Parameters) has "morrison"
| project TimeGenerated, ActionType, tostring(RawEventData.Parameters), IPAddress

Attackers sometimes grant delegate access to another mailbox they control, creating persistent access without needing the compromised user’s credentials.

3. Confirm no new MFA methods registered by the attacker:

1
2
3
4
5
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any ("User registered security info", "User registered all required security info", "Admin registered security info")
| where TargetResources has "morrison"
| project TimeGenerated, OperationName, tostring(InitiatedBy), tostring(AdditionalDetails)

After forcing MFA re-registration, you should see only the legitimate user re-registering from their known device.

Monitoring for re-compromise

Set up a temporary monitoring window. For the next 7 days, run this query daily:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
let watch_users = dynamic(["j.morrison@northgateeng.com"]);
let watch_start = datetime(2026-02-27T09:50:00Z);
union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > watch_start
| where UserPrincipalName in~ (watch_users)
| where ResultType == 0
| extend Country = tostring(LocationDetails.countryOrRegion)
| where Country != "GB"
| project TimeGenerated, UserPrincipalName, IPAddress, Country, AppDisplayName, Type
| sort by TimeGenerated desc

Any successful sign-in from outside the UK during the monitoring window triggers immediate re-investigation. The attacker may attempt to re-compromise the user via a different method (credential replay, SIM swap, social engineering of the help desk).

Convert this monitoring query into a temporary Sentinel analytics rule

Rather than running the query manually every day, create a temporary scheduled analytics rule that fires on any non-UK sign-in for the affected user. Set the rule to expire after 7 days. This automates the monitoring without permanent rule clutter.

Verification sign-off

Check	Expected result	Actual result
No attacker IP in non-interactive logs (post-revocation)	Zero events	Confirmed
All malicious inbox rules removed	Zero rules from attacker IP	Confirmed
No mail forwarding configured	No ForwardingSmtpAddress	Confirmed
No OAuth app grants from attack window	Zero new consents	Confirmed
No delegate access granted	Zero new permissions	Confirmed
MFA re-registered by legitimate user only	One registration from known device	Confirmed
7-day monitoring rule deployed	Rule active	Confirmed

This checklist is your sign-off document. Every “Confirmed” should have a corresponding query result (screenshot or CSV export) in your evidence file.

Check your understanding

1. Why check for delegate mailbox access in addition to inbox rules and forwarding?

Delegate access (FullAccess or SendAs permission) allows another account to access the mailbox without needing the compromised user's credentials. The attacker could create a second account or use another compromised account with delegate access, maintaining persistent access even after the primary account is fully contained.

Delegate access is the same as inbox rules

Delegate access is only relevant for shared mailboxes

Delegate access is a persistence mechanism that survives session revocation, password reset, and MFA re-registration. If the attacker granted FullAccess on the mailbox to another account they control, they can read all email from that second account without ever authenticating as the compromised user again.

← 13.9 Waves 2-5: Campaign Tracking 13.7 Containment Playbook →