T1218.005 - msxsl Abuse - Host Recovery & Mitigation Plan
Remediation steps for cleaning up msxsl.exe and more_eggs persistence, including registry cleanup, file removal, and credential reset procedures.
Tasks
-
Immediate: Quarantine system, block execution in
AppData\Roaming. -
Registry / Task Cleanup:
schtasks /delete /tn "EggsUpdate" /f reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v EggsUpdate /f -
File & Process Removal:
- Delete:
C:\Users\redacted\AppData\Roaming\Microsoft\Network\msxsl.exe - Delete:
12CD877E9F06A22D3.txt
- Delete:
-
Credential Reset: Force password changes for affected users.
-
Verification: Confirm no further DNS TXT or DOH activity.