4.25-Stop Malware Rootkit
Task Stop Malware Rootkit¶
Conditions¶
Given a compromised system, perform steps to stop malware rootkit.
Standards¶
- Disable Account
- Domain Account -> Users and Computers -> Disable
- Local Account -> Create GPO -> Security Settings -> Local Policies -> Security Options -> Accounts: Administrator account status
- Hobble Host
- Identify the MAC address based on the IP address of the rogue station.
- Trace to the port
- No up interface
- Physically power off the machine.
End State¶
System account has been disabled, Administrator account has been disabled, investigation and rebuild procedures completed and system is physically powered off.