Malware Investigation - Manual Deprecated

Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack') Master playbook for investigating suspected malware presence on an endpoint. Labels: - System: the hostname for the endpoint being investigated

Malware Core · 91 tasks · 0 inputs · 0 outputs

Flowchart

No yes yes no yes no yes no yes Close as false positive Continue start_task start_task Initial Triage Initial Triage Get device profile Get device profile Get employee information of the machine's owner Get employee information ... Review incident details Review incident details Assess severity Assess severity Notify head of IR team via Slack and Email Notify head of IR team vi... Assign and involve appropriate personnel Assign and involve approp... Review monitoring data Review monitoring data Search for recent events related to the investigated machine Search for recent events ... Is there continuous network capture of the machine? Is there continuous netwo... Retrieve packet capture for last 24 hours or at most 200MB Retrieve packet capture f... Review antivirus logs for the affected systems Review antivirus logs for... Search UEBA solution for the relevant user's behavior Search UEBA solution for ... Search DNS server logs for investigated machine's activity Search DNS server logs fo... Search web proxy logs for recent activity from this machine Search web proxy logs for... Search firewall logs for blocked traffic from this machine Search firewall logs for ... Collect evidence from the investigated machine Collect evidence from the... Trigger a snapshot / system restore point of affected systems Trigger a snapshot / syst... Collect volatile system data Collect volatile system data Fetch the system's security event log Fetch the system's securi... Create memory dump of the system Create memory dump of the... Collect autorun data Collect autorun data Collect prefetch data Collect prefetch data Collect browser history Collect browser history Collect USB device history Collect USB device history Analyze collected evidence Analyze collected evidence Look for suspicious local Windows user accounts and groups Look for suspicious local... Look for suspicious autorun entries Look for suspicious autor... Review file reputation for all autorun items Review file reputation fo... Detonate any suspicious autorun items in sandbox Detonate any suspicious a... Check processes against existing YARA signatures Check processes against e... Volatility - search for malicious IP addresses Volatility - search for m... Volatility - Check domains in DNS cache against TIP Volatility - Check domain... Volatility - search for suspicious domains in DNS cache Volatility - search for s... Volatility - review psxview results Volatility - review psxvi... Volatility - review malfind results Volatility - review malfi... Volatility - show list of previously run system commands Volatility - show list of... Correlate recently created and modified files against TIP Correlate recently create... Review prefetch data Review prefetch data Review history of connected USB drives Review history of connect... Look for processes without executable image on disk Look for processes withou... Look for system processes with suspicious execution times Look for system processes... Look for process with short edit distance from known process Look for process with sho... Check process tree and look for suspicious relationships Check process tree and lo... Look for traces of network sniffers Look for traces of networ... Analyze network traffic for malware activity Analyze network traffic f... Review shellbag data Review shellbag data Look up hashes to find trojanized modules Look up hashes to find tr... Analyze network traffic for signs of intrusion Analyze network traffic f... Look for modifications of system files Look for modifications of... Data Leak Assessment Data Leak Assessment Assess history of C&C communication in network logs Assess history of C&C com... Assess the history of local and remote file accesses Assess the history of loc... Assess unusual activity and data access Assess unusual activity a... Was any sensitive information leaked? Was any sensitive informa... Notify Public Relations (PR) team Notify Public Relations (... Respond Respond Was malware found? Was malware found? Inform user that no malware was found Inform user that no malwa... Report malware sample to AV vendor Report malware sample to ... Disable compromised AD account(s) Disable compromised AD ac... Revoke authentication keys stored on the compromised host Revoke authentication key... Revoke VPN credentials Revoke VPN credentials Instruct the owner to change their passwords Instruct the owner to cha... Ban relevant hashes across all systems Ban relevant hashes acros... Search for malicious communications from other systems Search for malicious comm... Remediate and wrap up Remediate and wrap up Notify affected user Notify affected user Provide end-user remediation guidance and link to training Provide end-user remediat... Is the identified malware known? Is the identified malware... Document manual remediation steps Document manual remediati... Trigger remediation scripts Trigger remediation scripts Was remediation successful? Was remediation successful? Open a ticket for IT to reimage the entire system Open a ticket for IT to r... Remove temporary containment measures Remove temporary containm... Reinstate disabled user accounts with new passwords Reinstate disabled user a... Deploy generated IoCs in relevant controls Deploy generated IoCs in ... Share generated IoCs with partner organizations Share generated IoCs with... Email report to CISO Email report to CISO Continue with the investigation or close as false positive? Continue with the investi... False Positive False Positive Continue with the investigation Continue with the investi... Update incident with findings Update incident with find... Memory Dump Investigation Memory Dump Investigation Device Investigation Device Investigation Autorun Investigation Autorun Investigation Processes Investigation Processes Investigation Network Investigation Network Investigation Done Done No Malware Found No Malware Found