Blue Team Playbook
Blue Team Playbook
This is a comprehensive playbook for incident responce.
Including checklists for identifying and remediating malware.
- Windy Garlic
IDENTIFY MALWARE
PROCESS EXPLORER
Step 1: Look at running processes by running Process
Explorer (GUI) and identify potential indicators of
compromise:
• Items with no icon
• Items with no description or company name
• Unsigned Microsoft images (First add Verified
Signer column under View tab->Select Columns,
then go to Options tab and choose Verify Image
Signatures)
• Check all running process hashes in Virus Total
(Go to Options tab and select Check
VirusTotal.com)
• Suspicious files are in Windows directories or
user profile
• Purple items that are packed or compressed
Items with open TCP/IP endpoints
Step 2: Signature File Check:
( See Sigcheck)
Step 3: Strings Check:
• Right click on suspicious process in Process
Explorer and on pop up window choose Strings tab
and review for suspicious URLs. Repeat for Image
and Memory radio buttons.
• Look for strange URLs in strings
Step 4: DLL View:
• Pop open with Ctrl+D
• Look for suspicious DLLs or services
• Look for no description or no company name
88
• Look at VirusTotal Results column
Step 5: Stop and Remove Malware:
• Right click and select Suspend for any identified
suspicious processes
• Right click and select Terminate Previous
Suspended processes
Step 6: Clean up where malicious files Auto start on
reboot.
• Launch Autoruns
• Under Options, Check the boxes Verify Code
Signatures and Hide Microsoft entries
• Look for suspicious process file from earlier
steps on the everything tab and uncheck. Safer to
uncheck than delete, in case of error.
• Press FS, to refresh Autoruns, and confirm
malicious file has not recreated the malicious
entry into the previous unchecked auto start
location.
Step 7: Process Monitor
• If malicious activity is still persistent, run
Process Monitor.
• Look for newly started process that start soon
after terminated from previous steps.
Step 8: Repeat as needed to find all malicious files
and process and/or combine with other tools and
suites
CHECKLIST FOR EVERY SUSPECT MACHINE
1 Network Connections -
netstat -nob
2 Auto run tasks -
task scheduler, startup folder for user, startup folder for -=ALL USERS=-, registry, WMI, verified tasks, etc.
OR use Autoruns (sysinternals)
Autoruns -
check login tab and Scheduled tasks
yellow is suspicious, it means can't be located
pink unverified
check explorer and service tabs
check drivers tab to look for suspicious drivers
3 Removable media -
USB, CD, network drives
Check common folders
4 Email -
Email clients / Email server
Check web history
5 Recent files/folders(That align with the time of attack) -
‘datemodified:today’
6 Processes -
Task manager, process explorer, process monitor Process explorer -
check if process has a publisher and its verified
check where the process is running from
check parent process
check virus total
check web
check TCP/IP tab for connections
check strings, look for IP's commands and IOC's
7 Logs -
Event Viewer
How many systems are still unknown, clear, suspicious, or infected?
Networking device(s) changes. (Switches, Routers,
Firewalls, IPS, NAC, Wi-Fi, etc.).
Active Directory OU isolation of suspected systems.
Active Directory - User account restrictions and resets.
Active Directory policies to prohibit threats from
running and/or access.
Firewall blocks.
DNS blocks (null route malware site(s).
Web filtering blocks.
REMEDIATION TASKS
Administrative AD Password Changes.
Local Administrative Password Changes.
User AD Password Changes.
Local User Password Changes.
Service Account Password Changes.
Push Antivirus updates for detected malware.
Try multiple antivirus tools.
What Active Directory GPO polices are set (Logs,Restrictions, etc.)?
What is the network architecture and how would Malware traverse?
Are there additional IDS/IPS segments that need
coverage to prevent/detect outbreak?
3rd Party Applications missing patches (Adobe, Java, etc.)?
Open/Closed
Monitor client email for vendor or other business
continuity items of interest.
Monitor RDP sessions on external accessible RDP client system.
Are there any applications in use that are facilitating the attack? If so, are there alternatives?
Is there a baseline system to review for changes?
Monitor user name variations.
Managing and monitoring tasks.
Review border router logs.
Review VPN (remote access) logs.
Citrix / VMWare or similar logs.
Review accounting server(s) logs and trends of users.
AD server logs.
Review Anti-Virus (Malicious Code Services) logs.
Review email abuse notifications and logs.
Review DNS logs.
Review account and policy abuse logs.
Review host firewall logs.
Key Questions to Answer
• What was the initial attack vector? (i.e., How did the adversary gain initial access to the network?)
• How is the adversary accessing the environment?
• Is the adversary exploiting vulnerabilities to achieve access or privilege?
• How is the adversary maintaining command and control?
• Does the actor have persistence on the network or device?
• What is the method of persistence (e.g., malware backdoor, webshell, legitimate credentials, remote tools, etc.)?
• What accounts have been compromised and what privilege level (e.g., domain admin, local admin, user account, etc.)?
• What method is being used for reconnaissance? (Discovering the reconnaissance method may provide an opportunity for detection and to determine possible intent.)
• Is lateral movement suspected or known? How is lateral movement conducted (e.g., RDP, network shares, malware, etc.)?
• Has data been exfiltrated and, if so, what kind and via what mechanism?
Comments
Post a Comment