Are they still here? This question plays an important part of your investigation. If there is an active attacker in the environment you need to identify and block all of their remote access and backdoors before remediation. If you kick them out one system at a time, there is a strong chance the attacker will just got dormant and return a month or 2 later. Using the Sniper Incident Response framework, you can quickly triage hosts for persistence and kick the attacker out.
