The eradication phase in incident response involves eliminating the root cause of the incident and strengthening defenses to prevent reoccurrence. In this case:
Intrusion Prevention System (D): Adding new rules to the IPS to detect and block malicious activity on TCP/135 is a direct eradication step to remove the threat’s entry point and prevent future attacks.
Centralized User Management (C): Hardening user accounts, removing unnecessary permissions, and applying tighter authentication/authorization measures helps eliminate the possibility that threat actors could exploit weak or mismanaged accounts to continue accessing the system.
Although anti-malware software (A) and enterprise block listing (E) are valuable, the most direct eradication steps here specifically involve managing network access (via IPS) and strengthening user controls (via centralized user management), especially when TCP/135 (MSRPC endpoint mapper) can be used to enumerate services and potentially access vulnerable endpoints remotely.
This aligns with best practices outlined in incident response frameworks (such as the NIST SP 800-61 and referenced resources), which emphasize closing the exploited entry points (in this case, TCP/135) and removing any lingering access points through user management and network control enhancements.
[Reference:, CyberOps Technologies (CBRFIR) 300-215 study guide, Chapter: Understanding the Incident Response Process, Eradication Phase, page 105-106., External Reference: “The Core Phases of Incident Response – Remediation,” Cipher blog [1]., External Reference: “Service Overview and Network Port Requirements,” Microsoft documentation [2]., , ]
Submit