Post Intrusion Ransomware Investigation
Provides the first step in the investigation of ransomware attacks. The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database. You will be guided with further investigation steps throughout the playbook, some of the key features are: - Encrypted file owner investigation - Endpoint forensic investigation - Active Directory investigation - Timeline of the breach investigation - Indicator and account enrichment Playbook settings and mapping: For the full operation of the playbook, the following data should be mapped to the relevant incident fields. Username - Usernames (common incident field) Hostname - Hostnames (common incident field)
Ransomware · 41 tasks · 5 inputs · 0 outputs
Inputs
AutoRemediation— Determines whether to perform auto-isolation and remediation for the infected endpoint and indicators. Values: - True - False. This is the default.NotificationEmail— The email addresses to notify if there is a possibility of the malware spreading and infecting other endpoints. Can be a CSV list.EmailBody— The malware notification message content.UserVerification— Possible values: True/False. Whether to provide user verification for blocking IPs. False - No prompt will be displayed to the user. True - The server will ask the user for blocking verification and will display the blocking list.AutoBlockIndicators— Possible values: True/False. Default: True. Should the given indicators be automatically blocked, or should the user be given the option to choose? If set to True - no prompt will appear, and all provided indicators will be blocked automatically. If set to False - the user will be prompted to select which indicators to block.
Commands used
ad-disable-account
rasterize-email
relatedIncidents
send-mail
setIncident
setIndicators