Alert Playbook - Device - Malware
Consider the criticality of the device for escalation. Workstation/Server
We want to identify the malware and make sure the infection was stopped
Defender Actions
- Verify the actions taken by Defender. Was the malware prevented?
- Make sure the actions were successful with the steps below.
File Reputation
- Is it PUA/Adware or higher severity? Try to identify the malware and the severity with the steps below.
-
Lookup hash in VirusTotal
- Playbook: Playbook - VirusTotal File
- Verify signature
- Verify global prevalence
- Google for context: file name, folder names, hash, command line, software company, software description, script/command strings
File Context
-
Investigate parent process
- Repeat steps from File Reputation section
- Is the parent/parent process Explorer, Service, Scheduled Task?
-
Is the file in a suspicious/uncommon folder?
- see suspicious folders annex
-
Where does the file come from?
- Downloads folder, External drive (X:), File Share
Timeline
- Look for events before and after for more context: URLs, Connections, Dropped files, etc
- Search in the Timeline for keywords: file name, folder names, IP, domain, command line, strings, parent process
- A domain before a download can give you the origin URL
Advanced Hunting
-
Look for the AntiVirus reports
- Defender Query: Device - Other
-
Look for file activity within the folder:
- Defender Query: Device - Activity in Folder -> Modify the folder regex accordingly
-
Look for the browser history and correlate with the download time to find the origin URL
- Defender Query: Device - Browser History
-
Look for signs of persistence around the time of the infection
- Defender Query: Device - Persistence
-
Look for suspicious Powershell commands
- Defender Query: Device - Powershell-Cmd
-
Look for suspicious processes before and after the infection time.
- Defender Query: Device - Process Summary
- Pivot! Use any finding and repeat the steps for further context
IOC Hunting
- Search for the collected IOCs to make sure there are no other devices infected
-
Defender Query: search "IOC"
Device and User Context
- Verify the criticality of the device
- Is it a critical device?
- is it a server or a workstation?
-
Verify the user details
- Is the user an IT admin?
- Is the user Non-IT user?
- Is the user a Developer/Solution Designer?
Escalation Form
Fill out the form below before escalating an alert. Take a screenshot of the output or select and copy the entire page and share it with the relevant people: